CVE-2019-25240

Summary

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication.

Affected Software

VendorProductVersion RangeStatus
Rifatron Co., Ltd.DVR5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)affected
Rifatron Co., Ltd.DVR7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)affected
Rifatron Co., Ltd.DVRFirmware: <=8.0 (000143)affected

Weaknesses

  • CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References