A zero-day vulnerability has affected 180,000 to 800,000 CCTV cameras which has given attackers the ability to spy, manipulate video content, and plant malware. Although the patch is supposed to be issued today, the bugs have received a critical rating. A company based out of Taipei, Taiwan makes the firmware and lists large corporations as their parent companies . Companies such as Sony, Cisco Systems, D-Link, and Panasonic are amongst the list, but it is unclear how many of these OEM partners use the vulnerable software. The first bug, (CVE-2018-1149), gives an attacker the ability to enact the buffer-overflow, allowing access to the Common Gateway Interface (CGI). The second vulnerabilities (CVE-2018-1150) exposes the backdoor functions on the NVRMini2 server. “We believe vulnerable IoT devices such as these raise serious questions about how we as an industry can manage large numbers of devices. Even in a corporate environment, if the number of connected devices grows at the forecasted rate, we are going to need to rethink our patching cadence and methodology,” said Renaud Deraison, co-founder and CTO of Tenable.
