SecurityWeek reports that Nozomi Networks researchers have identified a critical security vulnerability in Annke's N48PBB network video recorder, which could enable remote arbitrary code execution and sensitive data access if exploited.
A Cybersecurity and Infrastructure Security Agency advisory noted worldwide usage of Annke's video surveillance product.
Annke addressed the vulnerability through a firmware update released on July 22, 11 days after being notified regarding the flaw.
Nozomi researchers initially found the security bug to be a denial-of-service issue before further investigation revealed that threat actors could exploit it for remote code execution with root privileges. While vulnerability abuse required authentication, researchers found that attackers could also target devices without authentication due to the absence of cross-site request forgery protections.
"Modern video surveillance systems are classified as internet of things devices, and represent a fundamental component of the physical security of a company. As is often the case with IoT, these devices, though apparently simple, suffer from the same cybersecurity risks as more traditional network devices," said Nozomi.