KiloView Dual Channel 4K HDMI and 3G-SDI HEVC Video Encoder Unauthenticated Factory Reset Vulnerability

A denial-of-service vulnerability has been identified in the KiloView Dual Channel 4K HDMI & 3G-SDI HEVC Video Encoder, specifically in the firmware version 1.20.0006. The issue arises from an unauthenticated API endpoint that allows remote attackers to trigger a factory reset. This vulnerability can disrupt the device's operation, and if the device remains accessible afterward, it can be logged into using default credentials, granting full access to the device's dashboard and video feed.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by disrupting the device's operation through an unauthorized factory reset. If the device is still reachable afterward, it can be accessed with default credentials, providing full administrative rights.

Reproduction

The vulnerability can be reproduced by sending a request to the '/api/systemctrl/system/reFactory' endpoint without any authentication. This request triggers a factory reset on the device. After the reset, if the device is still accessible, it can be logged into using default credentials, which allows access to the device's dashboard and video feed.

Remediation

Users are advised to update to the patched version of the firmware, which is available through the KiloView support channels.