Macro-video Technologies V380E6_C1 IP Camera Plaintext Credentials Storage Vulnerability

A vulnerability exists in the Macro-video Technologies V380E6_C1 IP camera, specifically in the model with hardware ID Hw_HsAKPIQp_WF_XHR. This vulnerability allows a physically proximate attacker or an attacker with root access to the device to access plaintext Wi-Fi and user credentials stored in the filesystem. The sensitive information is kept in two unprotected files on the flash memory: wifi.ini, which contains Wi-Fi SSID and password, and user_info.ini, which holds the camera user login and password. The issue arises from the lack of encryption for these credentials, leaving them exposed to anyone who can access the device or has gained root access through exploitation of other vulnerabilities.

Impact

Exploitation of this vulnerability leads to unauthorized access to plaintext user and Wi-Fi credentials. This could facilitate credential stuffing attacks on other services and unauthorized access to the Wi-Fi network, potentially allowing for further network-based attacks.

Reproduction

The vulnerability can be reproduced by accessing the camera's root shell, either through UART exploitation or by reading the flash chip contents with a programmer. Once root access is obtained, the plaintext credentials can be retrieved from the wifi.ini and user_info.ini files. Alternatively, the flash chip can be read with a programmer to extract the same credentials.

Remediation

To address this vulnerability, it is recommended to implement measures that prevent unauthorized root access, such as those suggested for CVE-2025-25984. Additionally, credentials should be encrypted using a hardware security module to protect against physical attacks, and camera user passwords should be hashed using a secure algorithm before storage.