CVE-2025-29659: Remote Command Execution (RCE) via a Hidden Backdoor

Context

The vulnerable component is a lightweight binary named cmd, with the following characteristics:

• Size: ~4.3KB, indicating minimal logic.
• Never executed during the camera's default boot sequence.
• When launched (e.g., via CVE-2025-29660), it binds to TCP port 999 and enters a loop awaiting commands.
  Figure 1 : image

Vulnerability Details

Once a connection is established, the server:

• Accepts the incoming socket.
• Waits for a payload that contains the marker string "$$boundary\r\n".
• Executes the command preceding that marker.
• Explicitly ignores the reboot command but accepts everything else.

There is no authentication or filtering, and all commands are executed with root privileges.

Proof of Concept (PoC)

To exploit the vulnerability:

1. Ensure the cmd binary is running (manually or via CVE-2025-29660).
2. Connect to the device’s port 999/tcp.
3. Send the desired shell command, followed by the marker: $$boundary\r\n.

Codeid > /tmp/PWNED$$boundary

This will write the output of id to /tmp/PWNED on the device.

A full demonstration is available Here, showing how this RCE can be triggered in combination with CVE-2025-29660, allowing an attacker to remotely spawn the cmd service and gain full command execution.

Risk and Impact

• Unauthenticated Remote Code Execution via an exposed TCP port.
• Privileged Execution Context (root).
• Chaining potential with other CVEs (notably CVE-2025-29660).
• Device takeover, malware persistence, lateral movement possible.

Acknowledgements

This vulnerability was discovered by Yassine Damiri. The research helps improve awareness around the security risks posed by weak input validation and serves as a basis for further security improvements.

Disclaimer

This repository is intended for educational and ethical hacking purposes only. Unauthorized access to devices or systems is illegal. Always obtain proper authorization before conducting security testing.

Author

Yassine Damiri