Skip to main content

Lorex 2K Camera CVE-2026-15680

HIGH
Use of Externally-Controlled Format String (CWE-134)
2026-07-13 zdi
7.5
CVSS 3.0 · Vendor: zdi
Share

Severity by source

Vendor (zdi) PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Adjacent-network reach (AV:A) and no auth (PR:N) match the flaw; format-string exploitation is non-trivial (AC:H); code exec as root yields full C:H/I:H/A:H with scope unchanged.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zdi).

CVSS VectorVendor: zdi

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 22:10 vuln.today
CVE Published
Jul 13, 2026 - 21:32 cve.org
HIGH 7.5

DescriptionCVE.org

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.

AnalysisAI

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent-network access to camera
Delivery
Send crafted JSON to sonia service
Exploit
Trigger format-string flaw in CDeviceOperator
Execution
Corrupt memory to hijack control flow
Persist
Execute arbitrary code as root
Impact
Full device takeover and pivot

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be network-adjacent (AV:A) - on the same LAN or Wi-Fi segment as the camera, not across the open Internet - and able to reach the 'sonia' service that parses JSON requests; no authentication is required (PR:N) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed rather than uniformly severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who gains a foothold on the same Wi-Fi network or LAN segment as the camera - for example a compromised guest device, a rogue access point, or a neighboring wireless client - sends a crafted JSON request containing format specifiers to the sonia service. The malformed format string corrupts memory during parsing and yields code execution as root, giving the attacker full control of the camera to pivot, surveil, or persist. …
Remediation No vendor-released patch identified at time of analysis; the provided data contains only the ZDI advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-398/) with no fixed firmware version, so check Lorex's support portal for firmware updates for the 2K Indoor Wi-Fi camera and apply them once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, conduct a complete inventory of all Lorex 2K Indoor Wi-Fi cameras across the organization and immediately isolate them to a dedicated restricted network segment or disable non-critical units until mitigation is in place. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy