Skip to main content

Yi Technology YI Home Camera EUVDEUVD-2026-13602

| CVE-2026-4478 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-20 cna@vuldb.com
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
CVSS changed
Apr 22, 2026 - 21:37 NVD
8.1 (HIGH) 8.2 (HIGH)
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13602
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 07:16 nvd
HIGH 8.1

DescriptionCVE.org

A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

The Yi Technology YI Home Camera 2 version 2.1.1_20171024151200 contains a cryptographic signature verification vulnerability in its HTTP firmware update handler, specifically in the home/web/ipc file component. An attacker can exploit this remotely (network-accessible) to bypass firmware integrity checks and potentially install malicious firmware, though the attack complexity is high and exploitation is considered difficult. A public exploit is available, significantly increasing risk despite the high complexity barrier.

Technical ContextAI

This vulnerability affects the firmware update mechanism of the YI Home Camera 2, which relies on cryptographic signature verification to ensure only authorized firmware updates are installed. The flaw is classified as CWE-345 (Improper Verification of Cryptographic Signature), meaning the HTTP Firmware Update Handler in the home/web/ipc component fails to properly validate the digital signature of firmware packages. This weakness allows an attacker who can position themselves in the network path or manipulate update requests to supply unsigned or maliciously signed firmware that the device will accept. The affected product is a consumer IoT camera device running embedded firmware version 2.1.1_20171024151200, which processes firmware updates over HTTP without adequately verifying their authenticity.

RemediationAI

No vendor patch or security advisory is available as Yi Technology did not respond to vulnerability disclosure attempts, leaving no official remediation path. As an immediate compensatory control, disable remote firmware update functionality if device management interfaces permit this configuration option. Isolate affected YI Home Camera 2 devices on a separate VLAN or network segment with strict firewall rules preventing direct internet access and limiting communication only to essential local services. Implement network-level monitoring to detect anomalous firmware update attempts or unexpected outbound connections. Consider replacing the device with an alternative camera solution from a vendor with an active security response program, as the lack of vendor engagement indicates ongoing exposure without future security updates. If the device must remain deployed, place it behind a reverse proxy or VPN gateway that enforces encrypted connections and validates update sources at the network perimeter.

Share

EUVD-2026-13602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy