Home

Description

Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

M2.1.6.04C014
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php exploit

www.exploit-db.com/exploits/46320 (ExploitDB-46320) exploit

www.beward.net (Beward Product Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php (Zero Science Lab Disclosure (ZSL-2019-5511)) third-party-advisory

cve.org (CVE-2019-25246)

nvd.nist.gov (CVE-2019-25246)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.