Lorex 2K Camera CVE-2026-15680
HIGHSeverity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Adjacent-network reach (AV:A) and no auth (PR:N) match the flaw; format-string exploitation is non-trivial (AC:H); code exec as root yields full C:H/I:H/A:H with scope unchanged.
Primary rating from Vendor (zdi).
CVSS VectorVendor: zdi
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.
AnalysisAI
Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be network-adjacent (AV:A) - on the same LAN or Wi-Fi segment as the camera, not across the open Internet - and able to reach the 'sonia' service that parses JSON requests; no authentication is required (PR:N) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed rather than uniformly severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains a foothold on the same Wi-Fi network or LAN segment as the camera - for example a compromised guest device, a rogue access point, or a neighboring wireless client - sends a crafted JSON request containing format specifiers to the sonia service. The malformed format string corrupts memory during parsing and yields code execution as root, giving the attacker full control of the camera to pivot, surveil, or persist. … |
| Remediation | No vendor-released patch identified at time of analysis; the provided data contains only the ZDI advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-398/) with no fixed firmware version, so check Lorex's support portal for firmware updates for the 2K Indoor Wi-Fi camera and apply them once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, conduct a complete inventory of all Lorex 2K Indoor Wi-Fi cameras across the organization and immediately isolate them to a dedicated restricted network segment or disable non-critical units until mitigation is in place. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allShare
External POC / Exploit Code
Leaving vuln.today