Skip to main content

2K Indoor Wi Fi Security Camera

2 CVEs product

Monthly

CVE-2026-15680 HIGH This Week

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2026-15683 HIGH This Week

Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 3.0
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.

RCE 2K Indoor Wi Fi Security Camera
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE 2K Indoor Wi Fi Security Camera
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy