Researchers discovered the active exploitation of a zero-day vulnerability in AVTECH IP cameras by the Corona Mirai malware botnet. Given that the cameras have already reached end-of-life, no vulnerability fix will arrive, making it inevitable for users to abandon them.
Corona Mirai Malware Botnet Exploits Unpatched Zero-Day In AVTECH IP Cameras
According to a recent post from Akamai, researchers observed numerous exploitations from the Corona Mirai malware botnet against an unpatched vulnerability in AVTECH IP cameras.
Specifically, the vulnerability under attack, CVE-2024-7029, caught the attention of the researcher, Aline Eliovich. It received a high severity rating with a CVSS score of 8.7. The flaw exists in the cameras’ brightness function within the file /cgi-bin/supervisor/Factory.cgi
. According to the researchers,
…the “
brightness
” argument in the “action=
” parameter allows for command injection.
What’s peculiar about this vulnerability is that despite being known for at least five years and having PoC exploits in the wild, it never received a CVE until August 2024. Thankfully, it escaped active exploitation until March 2024, when Akamai researchers found active Corona campaigns exploiting the flaw. Nonetheless, their analysis traced such exploitation attempts to December 2023.
The vulnerability impacts AVTECH IP cameras AVM1203 firmware versions FullImg-1023-1007-1011-1009 and earlier. Since the affected model reached end-of-life several years ago, it won’t receive a vulnerability fix to mitigate the threat. Hence, users still running these unsupported IP cameras are at risk until they get rid of the affected devices.
Regarding the attack strategy, Akamai observed the Corona Mirai malware botnet exploiting the zero-day to execute malicious codes via remote attacks. The attackers attempt to “run a JavaScript file to fetch and load their main malware payload.” Following execution, the malware connects to various hosts through Telnet on ports 23, 2323, and 37215.
CISA Warned Of The Vulnerability Earlier
Soon after this vulnerability received a CVE ID, the US CISA issued an alert for users, warning about active exploitation. According to the advisory, the threat exists globally, particularly targeting the healthcare, commercial, and financial sectors—the major users of vulnerable devices.
Since no working vulnerability fix will arrive, CISA advises users to apply mitigations to alleviate the risks. These steps include reducing network exposure for control systems/devices, isolating local control systems/devices behind firewalls, and securing remote access with VPNs.
Let us know your thoughts in the comments.