CVE-2023-4249

Summary

Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321

IP Cameras

with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests.

Affected Software

VendorProductVersion RangeStatus
ZavioIP Camera CF7500version M2.1.6.05affected
ZavioIP Camera CF7300version M2.1.6.05affected
ZavioIP Camera CF7201version M2.1.6.05affected
ZavioIP Camera CF7501version M2.1.6.05affected
ZavioIP Camera CB3211version M2.1.6.05affected
ZavioIP Camera CB3212version M2.1.6.05affected
ZavioIP Camera CB5220version M2.1.6.05affected
ZavioIP Camera CB6231version M2.1.6.05affected
ZavioIP Camera B8520version M2.1.6.05affected
ZavioIP Camera B8220version M2.1.6.05affected
ZavioIP Camera CD321version M2.1.6.05affected

Weaknesses

  • CWE-121: CWE-121 Stack-Based Buffer Overflow

Workarounds

The affected products are end-of-life and have been identified to contain many insecurities. The vendor, Zavio, is no longer actively in business and therefore development for firmware fixes, mitigations, and updates are not available and will not become available. CISA recommends users discontinue use of the product.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References