CVE-2021-30167

CRITICAL

Network Camera Device - Privilege Escalation

Title source: llm

Description

The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.

References (4)

[Third Party Advisory] https://gist.github.com/keniver/86ebef688fb274b534da51ef1a84dd3e

[Third Party Advisory] https://www.chtsecurity.com/news/0b733a38-e616-4ff3-86a6-13e710643388

[Vendor Advisory] https://www.meritlilin.com/assets/uploads/support/file/M00166-TW.pdf

[Not Applicable] https://www.twcert.org.tw/tw/cp-132-4676-391a5-1.html

Scores

CVSS v3 9.8

EPSS 0.0356

EPSS Percentile 87.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522 CWE-306

Status published

Affected Products (41)

meritlilin/p2r8852e2_firmware < 7.1.94.8908

meritlilin/p2r8852e4_firmware < 7.1.94.8908

meritlilin/p2r6852e2_firmware < 7.1.94.8908

meritlilin/p2r6852e4_firmware < 7.1.94.8908

meritlilin/p2r6552e2_firmware < 7.1.94.8908

meritlilin/p2r6552e4_firmware < 7.1.94.8908

meritlilin/p2r6352ae2_firmware < 7.1.94.8908

meritlilin/p2r6352ae4_firmware < 7.1.94.8908

meritlilin/p2r3052ae2_firmware < 7.1.94.8908

meritlilin/p2g1052_firmware < 7.1.94.8908

meritlilin/p2r8822e2_firmware < 7.1.94.8908

meritlilin/p2r8822e4_firmware < 7.1.94.8908

meritlilin/p2r6822e2_firmware < 7.1.94.8908

meritlilin/p2r6822e4_firmware < 7.1.94.8908

meritlilin/p2r6522e2_firmware < 7.1.94.8908

... and 26 more

Timeline

Published Apr 28, 2021

Tracked Since Feb 18, 2026