"The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024," Akamai threat researchers Aline Eliovich, Kyle Lefton and Larry Cashdollar wrote.
"Despite the model in question having been discontinued for several years... these devices are still used worldwide, including by transportation authorities and other critical infrastructure entities," Akamai notes.
The exploit doesn't require a user to be authenticated, and allows an attacker to abuse a flaw in the camera's 'brightness' argument...to inject commands with the same privileges as the owner of the device.
With those other vulnerabilities also present in aged software and hardware, consider this entire story a reminder to not leave out-of-service devices and outdated software on your networks.
Collection
[
|
...
]