Vulnerability Details CVE-2024-6248
Wyze Cam v3 Cloud Infrastructure Improper Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the run_action_batch endpoint of the cloud infrastructure. The issue results from the use of the device's MAC address as a sole credential for authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-22393.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.015
EPSS Ranking 80.5%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2024-6248
-
cpe:2.3:h:wyze:cam_v3:-
-
cpe:2.3:o:wyze:cam_v3_firmware:-
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.0.125
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.0.228
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.0.248
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.0.252
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.0.280
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.1.4
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.10.2700
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.10.2864
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.10.3406
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.10.4054
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.10.7146
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.11.4679
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.11.5859
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.11.7071
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.11.7095
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.2.5
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.3.18
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.3.19
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.6.17
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.7.22
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.8.15
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.8.26
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.8.32
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.9.131
-
cpe:2.3:o:wyze:cam_v3_firmware:4.36.9.139