TITLE Vicon Network Cameras - Authentication Bypass AUTHOR Reginald Dodd / Information Security Engineer https://www.linkedin.com/in/reginalddodd VENDOR Vicon Industries Inc. http://www.vicon-security.com http://www.vicon-security.com/products/network-cameras/ DESCRIPTION Remote unauthenticated users can add an administrator, operator, or guest accounts to various Vicon network cameras by navigating directly to a specific URL. The URL is missing authentication and gives you direct access to the form that creates new accounts. URL: http://<IP>/system/user_pop.php?method=add&ptz_use=0 . With an account, a user can view the live video and alter camera settings. AFFECTED PRODUCTS AND VERSIONS Confirmed in products: V920D, V922D, and V-CELL-HD It is assumed that many more products are affected because the issue was tracked to a single web template that is used in many products of their network cameras. After referencing this issue with the vendor, the vendor supplied a firmware release note (Dated March 2015) that showed many products and their possible vulnerable firmware versions and the fixed firmware versions: V-CELL-IP; V660V-P (Europe) - Version T2_V2.7.3 and prior V920D and V921D - Version T4_V2.1.6 and prior V922D, V923D, V-CELL-HD, V921B, V922B, V923B, CE202D-N and CE202D-WN - Version T6_V1.9.4 and prior V905-CUBE - Version T5_V2.4.3 and prior CE102D-NIR and CE102B-NIR - Version T8_V1.4.3 and prior SN663V, SN680D-WNIR - Version X1_1.4.9 and prior SN663V-A, SN680D-A-WNIR - Version X2_1.2.1 and prior SOLUTION Check this url, http://<IP>/system/user_pop.php?method=add&ptz_use=0, of your ip camera(s). If you can add new accounts with no basic authentication prompt, then update the firmware. A fix is available. Users have to manually update each camera. REFERENCES http://www.vicon-security.com/Software/Vicon_Camera/V9xxCameras_3-15_Firmware-updated_Release_Notes.pdf