CVE-2018-18767

low-risk
Published 2018-12-20

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.0/10 High
LOCAL / HIGH complexity

Affected Products (2)

Mydlink Baby Camera Monitor
Dcs-825L Firmware

Affected Vendors

D-Link Dlink

References (2)

Exploit https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vu...
Exploit https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vu...
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low