Skip to main content

YI Home Camera 2 CVE-2026-4475

| EUVDEUVD-2026-13591 HIGH
Use of Hard-coded Password (CWE-259)
2026-03-20 cna@vuldb.com
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 29, 2026 - 01:35 vuln.today
v2 (cvss_changed)
CVSS changed
Apr 29, 2026 - 01:11 NVD
8.7 (HIGH) 7.4 (HIGH)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
CVSS changed
Apr 22, 2026 - 21:37 NVD
8.8 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13591
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 07:16 nvd
HIGH 8.8

DescriptionCVE.org

A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.

Technical ContextAI

This is a CWE-259 (Use of Hard-coded Credentials) vulnerability affecting the web interface component of YI Home Camera 2 IoT devices. The affected file /home/web/ipc likely contains embedded authentication credentials (username/password, API keys, or certificates) compiled directly into the firmware binary. Hard-coded credentials are a common anti-pattern in embedded systems where manufacturers include default or backdoor access for debugging, support, or factory operations but fail to remove them before production release. CVSS 4.0 vector indicates Adjacent Network (AV:A) access requirement - attackers must be on the same local network segment (LAN, Wi-Fi) as the camera, not remotely over the Internet. The Low Attack Complexity (AC:L) and No Privileges Required (PR:N) means exploitation is straightforward once network adjacency is achieved. The High impact ratings (VC:H/VI:H/VA:H) with No Subsequent impact (SC:N/SI:N/SA:N) indicate complete compromise of the camera itself without lateral movement to other systems.

RemediationAI

No vendor-released patch identified at time of analysis - Yi Technology did not respond to responsible disclosure attempts. Primary mitigation is network segmentation: isolate YI Home Camera 2 devices on a dedicated VLAN or IoT network segment with strict firewall rules preventing lateral movement to trusted networks. Block all inbound access to camera web interface (typically TCP ports 80/443/8080) from untrusted network zones using ACLs or firewall policies. If camera must be accessible remotely, implement VPN-only access rather than direct exposure, and enforce strong authentication at the VPN gateway. For high-security environments, consider replacing affected devices with alternatives from vendors with active security response programs. Compensating controls trade-offs: Network isolation is highly effective but requires managed network infrastructure (may not be feasible for home users with consumer routers). Disabling web interface if camera supports mobile-app-only operation reduces attack surface but limits management flexibility. Continuous monitoring for unauthorized access via camera logs or network IDS signatures for /home/web/ipc access patterns can provide detection, though alert fatigue risk is moderate. Users unable to implement network controls should disconnect affected cameras from networks containing sensitive systems or data.

Share

CVE-2026-4475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy