Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
The YI Home Camera 2 (version 2.1.1_20171024151200) CGI endpoint fails to properly authenticate requests to the /home/web/ipc function, allowing unauthenticated attackers on the local network to manipulate camera settings and access sensitive functionality. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with network access to the camera could read configuration data, modify settings, or disrupt normal operations.
Technical ContextAI
The vulnerability exists in the CGI (Common Gateway Interface) endpoint handling component of the Yi Home Camera 2's web interface, specifically the /home/web/ipc file. The root cause is classified under CWE-287 (Improper Authentication), indicating that the application fails to implement proper credential validation mechanisms for sensitive operations. CGI endpoints are commonly used in embedded devices to handle HTTP requests for configuration and control. The affected technology stack involves a custom web server implementation on the Yi Home Camera 2 hardware platform. Since the exact function is unknown, the vulnerability likely affects multiple CGI handlers that trust network proximity (local network requirement) as a security boundary rather than implementing proper authentication tokens, sessions, or cryptographic verification.
RemediationAI
The primary remediation is to upgrade the YI Home Camera 2 to a newer firmware version if available from Yi Technology; however, given the vendor's non-responsiveness to disclosure, official patched versions have not been confirmed. Until a vendor update is available, implement network-level compensating controls: restrict camera access to a dedicated VLAN or network segment with strict firewall rules, disable remote access to the camera from the internet, and disable the CGI endpoint if not required for essential functionality. For environments that cannot isolate the camera, consider replacing it with a device from a vendor with established security practices and responsive disclosure processes. Monitor network traffic to the camera for suspicious CGI requests to /home/web/ipc and implement intrusion detection signatures. Additional information and tracking is available through VulDB references: https://vuldb.com/?ctiid.351766 and https://vuldb.com/?id.351766.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13598