background

CVE-2025-25680: Arbitrary Code Execution via a specially crafted QR code

Published 1 janvier 1970
CVSS 7.7
LSC
PTZ Dualband Camera
4.9.18
Executive summaryThis repository demonstrates a critical security vulnerability discovered in the LSC PTZ Dualband Camera. The flaw, located in the tuya_ipc_direct_connect function of the anyka_ipc process, allows remote arbitrary code execution when a specially crafted QR code is presented to the camera during Wi-Fi configuration.

Context

The vulnerability occurs due to improper input validation in the camera's QR code scanning function. Malicious payloads can be injected into the Wi-Fi password field of the QR code, enabling an attacker to execute arbitrary system commands on the camera device.

404530152-c9b79a76-60fd-455e-ad23-f07ed7d8e98aFigure 1 : 404530152-c9b79a76-60fd-455e-ad23-f07ed7d8e98a

Affected Devices

  • Device: LSC PTZ Dualband Camera
  • Firmware: Devices using firmware with SDK version 4.9.18 or earlier
  • Vulnerability Type: Command Injection (CWE-77)
  • Severity: High – remote arbitrary code execution

Attack Vector

Exploitation of this vulnerability occurs when a malicious QR code is presented to the camera. The camera processes the QR code’s password field without properly sanitizing the input, allowing arbitrary system commands to be executed. An attacker can craft a payload like the following example:

Code{
    "s": "WIFI_NAME",
    "p": "WIFI_PASSWORD; touch /tmp/POUXY",
    "t": "2387263876"
}

Steps to Exploit

  1. Generate the Malicious QR Code:

    • Create a QR code with a custom payload, such as adding arbitrary system commands in the password field.

  2. Present the QR Code:

    • Hold the generated QR code in the camera's scan range during its Wi-Fi configuration process.

  3. Trigger Command Execution:

    • Upon scanning the malicious QR code, the camera processes the payload, and the command (e.g., touch /tmp/POUXY) is executed on the system.

Mitigation

To mitigate the vulnerability, it’s recommended to:

  • Disable QR code Wi-Fi configuration until an official patch is available.
  • Apply firmware updates as they become available from the manufacturer to improve input sanitization.

Acknowledgements

This vulnerability was discovered by Yassine Damiri. The research helps improve awareness around the security risks posed by weak input validation and serves as a basis for further security improvements.

Disclaimer

This repository is intended for educational and ethical hacking purposes only. Unauthorized access to devices or systems is illegal. Always obtain proper authorization before conducting security testing.

Author

Yassine Damiri

© 2023 Yassine Damiri. All Rights Reserved.
AboutPrivacy PolicyContact