Home

Description

ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network.

PUBLISHED Reserved 2025-10-30 | Published 2025-11-26 | Updated 2025-11-28 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unknown

Any version
affected

Timeline

2020-02-24:Exploit is publicly disclosed

Credits

Todor Donev finder

References

packetstorm.news/files/id/156497/ exploit

cxsecurity.com/issue/WLB-2020020137 exploit

acesecurity.jp/support/top/wip_series/wip-90113 product

www.vulncheck.com/...90113-unauthenticated-config-disclosure third-party-advisory

cve.org (CVE-2020-36874)

nvd.nist.gov (CVE-2020-36874)

Download JSON