FNKvision Y215 Camera CVE-2025-9380
HIGHSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was identified in FNKvision Y215 CCTV Camera 10.194.120.40. Affected by this issue is some unknown functionality of the file /etc/passwd of the component Firmware. Such manipulation leads to hard-coded credentials. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Hard-coded root credentials in FNKvision Y215 CCTV Camera firmware (version 10.194.120.40) allow local authenticated attackers with low privileges to escalate to root access, achieving complete system compromise. Public exploit code demonstrates credential extraction from firmware binaries. EPSS score of 0.01% (2nd percentile) indicates minimal observed scanning activity despite public POC availability, likely due to the local access requirement limiting remote mass exploitation. CISA KEV does not list this CVE, suggesting no confirmed widespread active exploitation targeting these IoT cameras.
Technical ContextAI
This vulnerability stems from CWE-259 (Use of Hard-coded Password), a critical security anti-pattern in embedded systems. The FNKvision Y215 camera firmware stores root credentials directly in the /etc/passwd file and multiple compiled binaries, violating secure credential management principles. Hard-coded credentials in IoT/CCTV devices are persistent across all deployed units with identical firmware versions, creating a universal authentication bypass once discovered. The CVSS 4.0 vector (AV:L/AC:L/PR:L) indicates local attack vector with low complexity, requiring an attacker to first gain low-privileged local access to the device before exploiting the hard-coded credentials for privilege escalation. Unlike network services, the /etc/passwd file is accessible only to users with existing shell access or physical firmware extraction capabilities, which constrains the attack surface to scenarios where attackers have already compromised the device at a lower privilege level or have physical access for firmware dumping.
Affected ProductsAI
FNKvision Y215 CCTV Camera running firmware version 10.194.120.40 is confirmed affected per researcher disclosure at vorachat.somsuay.com. The vulnerability exists in the device firmware component managing /etc/passwd and multiple compiled binaries where root credentials are hard-coded. No CPE string is available in NVD data. Vendor FNKvision did not respond to vulnerability disclosure attempts, and no vendor security advisory exists. Other firmware versions of the Y215 model or other FNKvision camera models may be affected if they share the same firmware codebase, but this has not been independently confirmed.
RemediationAI
No vendor-released patch identified at time of analysis - FNKvision did not respond to researcher disclosure. Primary mitigations require manual intervention: (1) Replace affected FNKvision Y215 cameras with alternative products from vendors with active security support programs, recommended for high-security deployments. (2) Network segmentation: isolate cameras on dedicated VLAN with no internet access and strict firewall rules allowing only authenticated video management system (VMS) connections; trade-off is reduced remote accessibility and increased network complexity. (3) Physical security controls: restrict physical access to camera installation locations and network infrastructure to prevent firmware extraction or console access; effectiveness depends on facility security maturity. (4) Monitor authentication logs for anomalous root login attempts from unexpected sources, though hard-coded credentials make attribution difficult. (5) Implement network-based behavioral monitoring to detect post-exploitation activity (unusual outbound connections, lateral movement). Compensating controls cannot eliminate the vulnerability but reduce exploitation likelihood by controlling the local access prerequisite. Organizations should assess risk tolerance and consider device replacement if the deployment context enables the local access vector required for exploitation.
Same weakness CWE-259 – Use of Hard-coded Password
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today