CVE-2018-17558

high-risk

Published 2023-10-26

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

Do I need to act?

2.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Tvip 10000 Firmware

Tvip 10001 Firmware

Tvip 10005 Firmware

Tvip 10005A Firmware

Tvip 10005B Firmware

Tvip 10050 Firmware

Tvip 10051 Firmware

Tvip 10055A Firmware

Tvip 10055B Firmware

Tvip 10500 Firmware

Tvip 10550 Firmware

Tvip 11000 Firmware

Tvip 11050 Firmware

Tvip 11500 Firmware

Tvip 11501 Firmware

Tvip 11502 Firmware

Tvip 11550 Firmware

Tvip 11551 Firmware

Tvip 11552 Firmware

Tvip 20000 Firmware

Affected Vendors

Abus

References (4)

Exploit https://sec.maride.cc/posts/abus/

Third Party Advisory https://www.ccc.de/en/updates/2019/update-nicht-verfugbar-hersteller-nicht-zu-er...

Exploit https://sec.maride.cc/posts/abus/

Third Party Advisory https://www.ccc.de/en/updates/2019/update-nicht-verfugbar-hersteller-nicht-zu-er...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 6/34 · Minimal

Exposure 25/34 · High