Api injection causes device reboot


Warning number: GL-2025-0003

Initial release time: 2025-7-10

Update release time: Released with version plan


Summary:

An API of the device did not perform validity verification on the input parameters during playback. As a result, it did not throw an error when receiving abnormal data. Instead, it continued to perform illegal operations, eventually causing the system to crash.

This vulnerability has been assigned a CVE ID of: None.

The vulnerability information was discovered by internal testers when scanning using the ZAP vulnerability scanning tool.


Sphere of impact:

Affected versions and models:

NVR 8.2.3

NVR 8.2.4

NVR C1.2

IPC 8.2.3

IPC 8.2.4

IPC C1.2

Name Version Model

 

NVR

 

 8.2.3

N7XXX

N8XXX

N63XX

N6312X

N88X

N88SX

D32XX

D33XX2C

D33XX

D315X

D3312X

H7004

H32tXX

NVR

8.2.4 /C1.2

Same as above

D75XX

D75XX2C

NA1XX

IPC

8.2.3

NT98528

SSC369G

IPC

8.2.4

SC335X

SC327DE

339G

338G

30KQ

338Q

NT98525

NT98528

NT98529

AX620A

SC379G

NT98566

SSC369G

IPC

C1.2

Same as above

SSC339G
SSC379G

NT98566


Impact and consequences:

Causes the device to restart inexplicably.

 

Vulnerability Scoring:

none.

 

Technical details:

Vulnerability details:

The API parameter injection issue causes the device to crash and then restart.


Temporary workaround:

This API requires authentication and can properly defend against attacks. No circumvention is done for now and will be updated with the version plan.


Solution and version update plan:

Solution:

The version is implemented according to the version plan , and parameter verification and exception throwing are added to the API. 

Old versions will not be updated.

Version update plan:

Updated from C1.3 to solve the problem.


Version acquisition method:
None

 

Vulnerability information sources and vulnerability exploitation:

We are currently not aware of any other public channels publishing the vulnerabilities mentioned in this article, nor are we aware of any cases where the vulnerabilities have been maliciously exploited.

 

Technical support channels:
None

 

Security Advisory Version Revision Information:

This vulnerability has been fixed in N VR and I PC since version C1.3 .

 

FAQs:
None