This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99bc8c93a2391b855d891b855d891b855d891b855d8
Found HiSiliconDVR firmware: Hardware: General MBD9016D-F Vulnerable to multiple issues : LFI, possibly RCE
Open service 185.158.172.248:80
2024-09-10 01:06
HTTP/1.1 200 OK CONNECTION: keep-alive Date: Mon, 09 Sep 2024 17:06:03 GMT Last-Modified: Thu, 30 Dec 2021 12:43:44 GMT Etag: "1640868224:cf7" CONTENT-LENGTH: 3319 CACHE-CONTROL: max-age=0 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1;mode=block Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff CONTENT-TYPE: text/html