Security News > 2020 > May > TP-Link Patches Multiple Vulnerabilities in NC Cloud Cameras
TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands.
Tracked as CVE-2020-12111, the first of the command injection flaws impacts the NC260 and NC450 models and could be abused to remotely execute commands as root on affected devices.
Because of this issue, the system name could be used in swBonjourStartHTTP as part of a shell command meant to inject arbitrary commands that would then be executed as root.
In addition to these two vulnerabilities, TP-Link addressed a hardcoded encryption key issue in NC200, NC210, NC220, NC230, NC250, NC260, and NC450 device models.
Security researcher Pietro Oliva, who discovered the vulnerabilities, also notes that the issue could allow an attacker to forge encrypted backup files that can be restored via the web interface to write or overwrite arbitrary files.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-04 | CVE-2020-12111 | OS Command Injection vulnerability in Tp-Link Nc260 Firmware and Nc450 Firmware Certain TP-Link devices allow Command Injection. | 8.8 |