Description
ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network.
References (4)
Core 4
Core References
Various Sources exploit
https://packetstorm.news/files/id/156497/
Issue Tracking exploit
https://cxsecurity.com/issue/WLB-2020020137
Various Sources product
https://acesecurity.jp/support/top/wip_series/wip-90113
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ace-security-wip90113-unauthenticated-config-disclosure
Scores
CVSS v4
8.7
EPSS
0.0052
EPSS Percentile
39.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (1)
ACE SECURITY/WIP-90113 HD Camera
Published
Nov 26, 2025
Tracked Since
Feb 18, 2026