Revotech I6032W-FHW Authentication Bypass Vulnerability Allowing Privilege Escalation and Information Disclosure

An authentication bypass vulnerability has been identified in the Revotech I6032W-FHW IP camera firmware, specifically in versions 1.0.0014 prior to 20210517. The vulnerability exists in the '/cgi-bin/jvsweb.cgi' endpoint, where the device fails to properly validate authentication fields in JSON-based API requests. This flaw allows unauthenticated attackers to access administrative API functions, retrieve sensitive information, and escalate privileges without valid credentials.

Impact

Exploitation of this vulnerability allows unauthorized access to administrative API functions, remote disclosure of sensitive user and account information, and unauthorized privilege escalation. Additionally, this vulnerability could be used as a stepping stone for further compromising the device.

Remediation

Users are advised to apply firmware updates provided by the vendor when available, restrict network access to the device management interface, and monitor and log abnormal or repeated access attempts to the '/cgi-bin/jvsweb.cgi' endpoint.