CVE-2023-48121: Notice about Vulnerability in Some EZVIZ Products 20231123

Notice Released By: EZVIZ Security Team

Initial Release Date: 2023-11-23

Vulnerability & Affected Versions:

Some EZVIZ products have been affected by an authentication bypass vulnerability in the Direct Connection Module, which could allow remote attackers to consume services by sending crafted messages to the affected devices (CVE-2023-48121).

Affected Product Models

Affected Versions

Ezviz CS-C6N-xxx

prior to v5.3.x build 20230401

Ezviz CS-CV310-xxx

prior to v5.3.x build 20230401

Ezviz CS-C6CN-xxx

prior to v5.3.x build 20230401

Ezviz CS-C3N-xxx

prior to v5.3.x build 20230401

Scoring:

CVSS v3.1 is adopted in this vulnerability scoring.

(http://www.first.org/cvss/specification-document)

Base score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

Fix Progress:

The reported vulnerability has been fully identified and patched into the latest EZVIZ firmware, which has been released to the affected users for firmware update via the EZVIZ App.

Completing Device Firmware Upgrade:

For users with an affected device, they can complete the firmware upgrade via their EZVIZ App on the specific device page to mitigate the vulnerability. Users should have received an upgrade notification and are able to follow the instruction on the update page to complete the upgrade properly.

Source of Vulnerability Information:

The vulnerability was reported to EZVIZ Security Team by ethical hacker Joern (@joerngermany).

Contact Us:

If you believe you have discovered a security vulnerability, please report it to EZVIZ at [email protected], or join our bounty program on YesWeHack. Our security team will be in touch if we need more information.

EZVIZ would like to thank all security researchers and professionals who help test, identify and mitigate potential vulnerabilities in EZVIZ products, ensuring that we continue to respectfully protect people and homes, while securing devices and data.