CVE-2020-24216 in HiSilicon
Summary
by MITRE • 10/06/2020
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. When the administrator configures a secret URL for RTSP streaming, the stream is still available via its default name such as /0. Unauthenticated attackers can view video streams that are meant to be private.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2026
This vulnerability represents a critical access control flaw in HiSilicon-based video encoder systems that affects the box application component. The issue stems from improper implementation of authentication mechanisms where administrators can configure secret URLs for RTSP streaming to restrict access to private video feeds. However, the system fails to enforce proper access controls, allowing unauthorized users to bypass the configured security measures and access streams using default naming conventions such as /0. This represents a classic case of insecure direct object reference vulnerability where the application does not validate whether the requesting user has proper authorization to access specific stream resources.
The technical implementation flaw manifests in the application's URL handling and stream access validation logic. When administrators set up secret URLs, the system should enforce strict access controls that prevent unauthorized access regardless of the URL pattern used. However, the box application appears to maintain fallback mechanisms or default access paths that remain accessible even when secret URLs are configured. This issue directly relates to CWE-284 which describes improper access control vulnerabilities where systems fail to properly enforce authorization checks. The vulnerability exists at the application level within the RTSP streaming service implementation where access controls are not consistently enforced across all available access points.
From an operational impact perspective, this vulnerability exposes sensitive video surveillance and streaming content to unauthenticated attackers who can potentially access private feeds without any authentication. The implications are severe for organizations relying on these encoders for security monitoring, as attackers can view live video streams from cameras configured with secret URLs, undermining the entire purpose of access restriction. This vulnerability can be exploited by anyone who knows the default stream naming conventions, making it particularly dangerous in environments where physical security is assumed to be maintained through digital access controls. The attack surface is broad as this affects all HiSilicon-based systems that implement the box application and RTSP streaming functionality.
The mitigation strategy should focus on implementing proper access control enforcement throughout the application's streaming service. Organizations should immediately disable secret URL functionality if it cannot be properly secured, or implement robust authentication checks that validate user credentials regardless of the URL pattern accessed. System administrators should ensure that all access points are validated against proper authorization mechanisms and that default access paths are properly secured. The solution aligns with ATT&CK technique T1190 which describes exploitation of vulnerabilities in network infrastructure devices, and T1071.004 which covers application layer protocol usage for command and control. Security patches should be applied to update the box application to properly enforce access controls, and network segmentation should be implemented to isolate streaming services from unauthorized network access. Regular security assessments should be conducted to identify similar access control weaknesses in other networked video equipment and infrastructure components.