Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.
Technical ContextAI
This is a CWE-259 (Use of Hard-coded Credentials) vulnerability affecting the web interface component of YI Home Camera 2 IoT devices. The affected file /home/web/ipc likely contains embedded authentication credentials (username/password, API keys, or certificates) compiled directly into the firmware binary. Hard-coded credentials are a common anti-pattern in embedded systems where manufacturers include default or backdoor access for debugging, support, or factory operations but fail to remove them before production release. CVSS 4.0 vector indicates Adjacent Network (AV:A) access requirement - attackers must be on the same local network segment (LAN, Wi-Fi) as the camera, not remotely over the Internet. The Low Attack Complexity (AC:L) and No Privileges Required (PR:N) means exploitation is straightforward once network adjacency is achieved. The High impact ratings (VC:H/VI:H/VA:H) with No Subsequent impact (SC:N/SI:N/SA:N) indicate complete compromise of the camera itself without lateral movement to other systems.
RemediationAI
No vendor-released patch identified at time of analysis - Yi Technology did not respond to responsible disclosure attempts. Primary mitigation is network segmentation: isolate YI Home Camera 2 devices on a dedicated VLAN or IoT network segment with strict firewall rules preventing lateral movement to trusted networks. Block all inbound access to camera web interface (typically TCP ports 80/443/8080) from untrusted network zones using ACLs or firewall policies. If camera must be accessible remotely, implement VPN-only access rather than direct exposure, and enforce strong authentication at the VPN gateway. For high-security environments, consider replacing affected devices with alternatives from vendors with active security response programs. Compensating controls trade-offs: Network isolation is highly effective but requires managed network infrastructure (may not be feasible for home users with consumer routers). Disabling web interface if camera supports mobile-app-only operation reduces attack surface but limits management flexibility. Continuous monitoring for unauthorized access via camera logs or network IDS signatures for /home/web/ipc access patterns can provide detection, though alert fatigue risk is moderate. Users unable to implement network controls should disconnect affected cameras from networks containing sensitive systems or data.
Same weakness CWE-259 – Use of Hard-coded Password
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13591