MidnightBSD

Advisories for meritlilin

CVE-2021-30166 HIGH

The NTP Server configuration function of the IP camera device is not verified with special parameters. Remote attackers can perform a command Injection attack and execute arbitrary commands after logging in with the privileged permission.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
meritlilin p2r6522e2_firmware *
meritlilin z2r6452ax-p_firmware *
meritlilin p2r6352ae2_firmware *
meritlilin p2r3052ae2_firmware *
meritlilin z2r8122x-p_firmware *
meritlilin p2r6822e2_firmware *
meritlilin z2r6422ax_firmware *
meritlilin z2r8022ex25_firmware *
meritlilin p2r6552e2_firmware *
meritlilin z2r8852ax_firmware *
meritlilin z2r6422ax-p_firmware *
meritlilin z2r8822ax_firmware *
meritlilin p2r6822e4_firmware *
meritlilin p2r6522e4_firmware *
meritlilin p2r8822e2_firmware *
meritlilin z2r6452ax_firmware *
meritlilin z2r8122x2-p_firmware *
meritlilin p3r6522e2_firmware *
meritlilin p2r6322ae2_firmware *
meritlilin z3r6522x_firmware *
meritlilin p2r6852e2_firmware *
meritlilin z3r6422x3_firmware *
meritlilin p2r8822e4_firmware *
meritlilin p2g1022x_firmware *
meritlilin z2r8152x-p_firmware *
meritlilin p2g1022_firmware *
meritlilin p2r6552e4_firmware *
meritlilin p3r6322e2_firmware *
meritlilin p2r6322ae4_firmware *
meritlilin z2r8152x2-p_firmware *
meritlilin p2g1052_firmware *
meritlilin p2r8852e4_firmware *
meritlilin p2r6852e4_firmware *
meritlilin z2r6522x_firmware *
meritlilin p2r6352ae4_firmware *
meritlilin z2r6552x_firmware *
meritlilin p2r8852e2_firmware *
meritlilin z2r8052ex25_firmware *
meritlilin p2r3022ae2_firmware *
meritlilin z3r8922x3_firmware *
meritlilin p3r8822e2_firmware *
CVE-2021-30167 HIGH

The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-522,CWE-306,

Products Affected

Vendor Product Version
meritlilin p2r6522e2_firmware *
meritlilin z2r6452ax-p_firmware *
meritlilin p2r6352ae2_firmware *
meritlilin p2r3052ae2_firmware *
meritlilin z2r8122x-p_firmware *
meritlilin p2r6822e2_firmware *
meritlilin z2r6422ax_firmware *
meritlilin z2r8022ex25_firmware *
meritlilin p2r6552e2_firmware *
meritlilin z2r8852ax_firmware *
meritlilin z2r6422ax-p_firmware *
meritlilin z2r8822ax_firmware *
meritlilin p2r6822e4_firmware *
meritlilin p2r6522e4_firmware *
meritlilin p2r8822e2_firmware *
meritlilin z2r6452ax_firmware *
meritlilin z2r8122x2-p_firmware *
meritlilin p3r6522e2_firmware *
meritlilin p2r6322ae2_firmware *
meritlilin z3r6522x_firmware *
meritlilin p2r6852e2_firmware *
meritlilin z3r6422x3_firmware *
meritlilin p2r8822e4_firmware *
meritlilin p2g1022x_firmware *
meritlilin z2r8152x-p_firmware *
meritlilin p2g1022_firmware *
meritlilin p2r6552e4_firmware *
meritlilin p3r6322e2_firmware *
meritlilin p2r6322ae4_firmware *
meritlilin z2r8152x2-p_firmware *
meritlilin p2g1052_firmware *
meritlilin p2r8852e4_firmware *
meritlilin p2r6852e4_firmware *
meritlilin z2r6522x_firmware *
meritlilin p2r6352ae4_firmware *
meritlilin z2r6552x_firmware *
meritlilin p2r8852e2_firmware *
meritlilin z2r8052ex25_firmware *
meritlilin p2r3022ae2_firmware *
meritlilin z3r8922x3_firmware *
meritlilin p3r8822e2_firmware *
CVE-2021-30168 HIGH

The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,CWE-522,

Products Affected

Vendor Product Version
meritlilin p2r6522e2_firmware *
meritlilin z2r6452ax-p_firmware *
meritlilin p2r6352ae2_firmware *
meritlilin p2r3052ae2_firmware *
meritlilin z2r8122x-p_firmware *
meritlilin p2r6822e2_firmware *
meritlilin z2r6422ax_firmware *
meritlilin z2r8022ex25_firmware *
meritlilin p2r6552e2_firmware *
meritlilin z2r8852ax_firmware *
meritlilin z2r6422ax-p_firmware *
meritlilin z2r8822ax_firmware *
meritlilin p2r6822e4_firmware *
meritlilin p2r6522e4_firmware *
meritlilin p2r8822e2_firmware *
meritlilin z2r6452ax_firmware *
meritlilin z2r8122x2-p_firmware *
meritlilin p3r6522e2_firmware *
meritlilin p2r6322ae2_firmware *
meritlilin z3r6522x_firmware *
meritlilin p2r6852e2_firmware *
meritlilin z3r6422x3_firmware *
meritlilin p2r8822e4_firmware *
meritlilin p2g1022x_firmware *
meritlilin z2r8152x-p_firmware *
meritlilin p2g1022_firmware *
meritlilin p2r6552e4_firmware *
meritlilin p3r6322e2_firmware *
meritlilin p2r6322ae4_firmware *
meritlilin z2r8152x2-p_firmware *
meritlilin p2g1052_firmware *
meritlilin p2r8852e4_firmware *
meritlilin p2r6852e4_firmware *
meritlilin z2r6522x_firmware *
meritlilin p2r6352ae4_firmware *
meritlilin z2r6552x_firmware *
meritlilin p2r8852e2_firmware *
meritlilin z2r8052ex25_firmware *
meritlilin p2r3022ae2_firmware *
meritlilin z3r8922x3_firmware *
meritlilin p3r8822e2_firmware *
CVE-2021-30169 MEDIUM

The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-522,

Products Affected

Vendor Product Version
meritlilin p2r6522e2_firmware *
meritlilin z2r6452ax-p_firmware *
meritlilin p2r6352ae2_firmware *
meritlilin p2r3052ae2_firmware *
meritlilin z2r8122x-p_firmware *
meritlilin p2r6822e2_firmware *
meritlilin z2r6422ax_firmware *
meritlilin z2r8022ex25_firmware *
meritlilin p2r6552e2_firmware *
meritlilin z2r8852ax_firmware *
meritlilin z2r6422ax-p_firmware *
meritlilin z2r8822ax_firmware *
meritlilin p2r6822e4_firmware *
meritlilin p2r6522e4_firmware *
meritlilin p2r8822e2_firmware *
meritlilin z2r6452ax_firmware *
meritlilin z2r8122x2-p_firmware *
meritlilin p3r6522e2_firmware *
meritlilin p2r6322ae2_firmware *
meritlilin z3r6522x_firmware *
meritlilin p2r6852e2_firmware *
meritlilin z3r6422x3_firmware *
meritlilin p2r8822e4_firmware *
meritlilin p2g1022x_firmware *
meritlilin z2r8152x-p_firmware *
meritlilin p2g1022_firmware *
meritlilin p2r6552e4_firmware *
meritlilin p3r6322e2_firmware *
meritlilin p2r6322ae4_firmware *
meritlilin z2r8152x2-p_firmware *
meritlilin p2g1052_firmware *
meritlilin p2r8852e4_firmware *
meritlilin p2r6852e4_firmware *
meritlilin z2r6522x_firmware *
meritlilin p2r6352ae4_firmware *
meritlilin z2r6552x_firmware *
meritlilin p2r8852e2_firmware *
meritlilin z2r8052ex25_firmware *
meritlilin p2r3022ae2_firmware *
meritlilin z3r8922x3_firmware *
meritlilin p3r8822e2_firmware *
CVE-2022-47618

Merit LILIN AH55B04 & AH55B08 DVR firm has hard-coded administrator credentials. An unauthenticated remote attacker can use these credentials to log in administrator page, to manipulate system or disrupt service.

Products Affected

Vendor Product Version
meritlilin ah55b04_firmware -
meritlilin ah55b08_firmware -