CVE-2016-2360 in IP Security Camera
Summary
by MITRE
Milesight IP security cameras through 2016-11-14 have a default root password in /etc/shadow that is the same across different customers' installations.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/27/2024
The vulnerability described in CVE-2016-2360 represents a critical security flaw in Milesight IP security cameras that affects installations up to November 14, 2016. This issue stems from a fundamental design weakness where manufacturers failed to implement proper authentication mechanisms, leaving devices with hardcoded credentials that persist across multiple customer deployments. The flaw specifically resides in the /etc/shadow file where the root account password remains constant regardless of individual customer installations, creating a massive security risk that spans multiple organizations and geographical locations.
This technical vulnerability maps directly to CWE-798, which addresses the use of hard-coded credentials in software applications. The flaw represents a classic case of insecure credential management where default passwords are not only predictable but universally shared across deployments, effectively creating a single point of failure that compromises the security posture of countless installations. The persistence of this default credential across different customer environments demonstrates a severe lack of proper security hardening practices during device manufacturing and deployment processes.
The operational impact of this vulnerability extends far beyond individual device compromise, as it enables unauthorized access to entire surveillance networks across multiple organizations. Attackers can leverage this weakness to gain root access to cameras, potentially leading to complete network infiltration, data exfiltration, and unauthorized surveillance operations. The widespread nature of affected installations means that security breaches could occur simultaneously across numerous locations, making detection and response significantly more challenging for affected organizations. This vulnerability directly aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through default credentials.
Mitigation strategies for this vulnerability require immediate action from affected organizations, including immediate credential rotation on all impacted devices and implementation of strong, unique authentication mechanisms. Network segmentation should be enforced to limit lateral movement once access is gained, while regular security audits must be conducted to identify and remediate similar hardcoded credential issues in other network components. Organizations should also implement continuous monitoring for unauthorized access attempts and establish incident response procedures specifically designed to address credential-based attacks. The vulnerability highlights the critical importance of following security best practices such as those outlined in NIST SP 800-53, which emphasizes the need for secure configuration management and access control policies to prevent unauthorized system access through default credentials.