Today CISA announced that it had added an OS command injection vulnerability in the Edimax IC-7100 IP Camera to their Known Exploited Vulnerabilities (KEV) catalog. CISA had previously disclosed the vulnerability, noting at the time that Edimax had not responded to CISA’s coordination attempts. Akami reports that they have been seeing the vulnerability exploited in the wild since September 2024 and noting that proof-of-concept code has been available since June 2023. Apparently, the reason that Edimax has not been responding to vulnerability coordination efforts is that the IC-7100 IP Camera has been end-of-life for quite some time. Unfortunately, Akami surmises that the vulnerability exists in other IoT products from Edimax.
CISA is requiring federal agencies that have the affected Edimax
camera to apply “mitigations per vendor instructions, follow applicable BOD
22-01 guidance for cloud services, or discontinue use of the product if
mitigations are unavailable.” A deadline of March 9th, 2025 has been
provided.
Posts
No comments:
Post a Comment