CVE-2020-24219

moderate-risk

Published 2020-10-06

An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.

Do I need to act?

25.2% chance of exploitation in next 30 days

EPSS score — higher than 75% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

48899

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (2)

Iptv\/H.264 Video Encoder Firmware

Iptv\/H.265 Video Encoder Firmware

Affected Vendors

Szuray

References (6)

Exploit http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Di...

Exploit https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/

Third Party Advisory https://www.kb.cert.org/vuls/id/896979

Exploit http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Di...

Exploit https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/

Third Party Advisory https://www.kb.cert.org/vuls/id/896979

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 15/34 · Moderate

Exposure 7/34 · Low