Security Advisory: Remote Code Execution on Diviotec IP Camera (CVE-2025-5113)

Introduction

This is the third installment of our command injection series affecting CGI shell scripts. This time we're exploring vulnerabilities affecting Diviotec IP cameras. Again, these vulnerabilities were automatically spotted by our recently introduced bash static code analyser.

Remote Unauthenticated Command Execution

Summary

The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used.

Impact

Remote unauthenticated attacker can gain remote code execution with elevated privileges on affected devices. Obtained privileges are those of 'apache' user, which can elevate to root without password.

Description

These devices expose a web interface to be set up and configured by operators,within these web interface CGI BIN scripts written in bash are used. Some of these scripts are insecurely calling swithout proper sanitization.

‍

The vulnerable script is located at usr/apache/htdocs/cgi-bin/camctrl.cgi within the UBI filesystem.

By following a long taint propagation chain that starts by reading the QUERY_STRING environment variable:

‍

We end up in a sed call where untrusted user input is used unsanitized:

This whole chain of events can be exploited by sending a request like this:

‍

Authentication is required, but multiple sets of default credentials have been automatically picked up by the platform (users.db, appweb.userpass) that can be used.

Since CGI scripts are executed by the 'apache' user, the command we inject is also being executed with the 'apache' user privileges. This is not really a limitation since a privilege escalation flaw affects that specific user.

The ONEKEY platforms automatically checks for sudoers misconfiguration, including misuse of GTFO binaries. In this case, it's a simple 'execute everything without password' rule that has been applied to the 'apache' user:

‍

Even the firmware devs made it clear in the sudoers config:

Recommendations

Immediately isolate affected cameras from the internet, replace any default or weak passwords, and request a firmware update from Diviotec/Nexcomm. Once patched, re-audit CGI scripts to verify proper input sanitization and remove any unnecessary sudo privileges for the apache user.

Key Takeaways

• Bash-based CGI scripts are high-risk. Even simple shell scripts exposed via web interfaces can harbor deep taint-propagation issues if user input isn’t rigorously sanitized. In this case, untrusted data flowed from QUERY_STRING into a sed invocation, enabling arbitrary command execution.
• Default credentials amplify impact. Although authentication gates the vulnerable endpoint, multiple hardcoded usernames and passwords (e.g., from users.db and appweb.userpass) permit unauthenticated attackers to bypass access controls—turning a “protected” CGI script into an open door.
• Privilege escalation makes it even worse. Exploits run as the apache user, which on these devices is configured in sudoers to execute any command without a password. In practice, that means remote code execution trivially escalates to root.
• Automated static analysis finds real bugs. Our custom Bash static code analyzer flagged the insecure camctrl.cgi script automatically—underscoring the value of automated SBOM-driven analysis even when source code isn’t centrally available.
• Network hygiene remains the frontline defense. Until Diviotec issues a patch, operators must limit camera exposure (e.g., VLAN segmentation, firewall rules) and rotate all credentials. This “zero trust” mindset buys time against undetected or unpatched vulnerabilities.
• Vendor coordination and disclosure timelines matter. ONEKEY followed a 90-day disclosure window, notifying Diviotec multiple times (early March, mid-April, late-April) and involving Nexcomm once they assumed ownership. This timeline highlights how protracted firmware-patch cycles can be.

Timeline

• 04/03/2025 - ONEKEY sends a notification to sales, support, security, csirt, psirt @ diviotec.com
• 15/04/2025 - ONEKEY sends a notification to sales, support, security, csirt, psirt @ diviotec.com
• 27/04/2025 - ONEKEY sends a notification to sales, support, security, csirt, psirt @ diviotec.com + multiple personal emails from Nexcomm (new owner of Diviotec)
• 02/06/2025 - End of 90 days disclosure window
• 03/06/2025 - Advisory publication by ONEKEY.

‍

‍