Geutebrück GmbH has a firmware update to mitigate an OS command injection vulnerability in its E2 Camera Series, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability may allow a remote attacker to inject OS commands as root.
E2 series cameras running firmware versions prior to 22.214.171.124 suffer from the issue, discovered by Davy Douhine of RandoriSec. Douhine validated the new version of the firmware resolves the reported vulnerability.
The DDNS configuration (in the Network Configuration panel) is vulnerable to an OS system command injection as root.
CVE-2018-19007 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
The product sees use in the commercial facilities, energy, financial services, and healthcare and public health sectors. It also sees action in Europe, United States, and Australia.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Germany-based Geutebrück recommends E2 series IP camera users download and update to the newest firmware version, 126.96.36.199, by registering for a new WebClub account, or by logging into an existing account.