Skip to content

Instantly share code, notes, and snippets.


tj-oconnor/CVE-2020-28999.txt Secret

Last active Jan 26, 2021
What would you like to do?
An issue was discovered in Apexis Streaming Video Web Application on
Geeni GNC-CW013 doorbell 1.8.1 devices. A remote attacker can take
full control of the camera with a high-privileged account. The
vulnerability exists because a static username and password are
compiled into a shared library ( used to provide the
streaming camera service.
[Additional Information]
Reported to Merkury Innovations on 21 Nov 20.
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
[Affected Product Code Base]
GNC-CW013 Doorbell - Version 1.8.1 (Current)
[Affected Component]
Apexis Streaming Video Web Application
[Attack Type]
[Impact Code execution]
[Attack Vectors]
An attacker is able to remotely login into the web application of the device using an account that is static/hidden from the user.
TJ OConnor, Daniel Campos: Florida Tech IoT S&P Lab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment