Severity by source
AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface.
AnalysisAI
Plaintext exposure of pre-signed Backblaze B2 upload URLs in GNCC GP5 camera firmware v7.1.76 allows physically-proximate attackers with serial UART access to harvest live cloud storage tokens. The leaked PUT URLs enable unauthorized write operations against the device's Backblaze B2 cloud storage bucket until the tokens expire. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires physical access to the GNCC GP5 device to attach to its serial UART debug interface, plus a window in which the camera emits a pre-signed Backblaze B2 upload URL to the console (typically during upload operations) and during which that URL has not yet expired. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 7.1 score is driven by the AV:P (physical) vector and changed scope (S:C, since the leaked token grants access to a different security authority - Backblaze cloud storage), with high confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with brief physical access to a deployed GNCC GP5 camera opens the housing, attaches a USB-to-UART adapter to the exposed serial header, and passively captures the boot/runtime console log. Within the log they find pre-signed Backblaze B2 PUT URLs and, while these tokens remain valid, replay them from any internet-connected host to upload arbitrary content into the victim's B2 bucket, potentially poisoning recorded footage or exhausting storage quotas. |
| Remediation | No vendor-released patch identified at time of analysis - neither GNCC nor a fixed firmware version is referenced in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all GNCC GP5 devices in use; identify which have Backblaze B2 integration enabled; assess physical security of device locations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34279
GHSA-82x6-h78j-2frc