CVE-2020-24217 in HiSilicon
Summary
by MITRE • 10/06/2020
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/11/2026
This vulnerability exists within the box application component of HiSilicon-based IPTV and video encoder devices that support H.264 and H.265 video encoding protocols. The flaw manifests in the file-upload endpoint which fails to implement proper authentication mechanisms, creating a critical security gap that allows unauthorized access to the device's firmware update functionality. The absence of authentication enforcement represents a fundamental failure in the application's security architecture and directly violates established security principles for firmware management systems. This weakness enables attackers to exploit the upload endpoint through unauthenticated HTTP requests, bypassing all intended security controls that should protect against unauthorized firmware modifications.
The technical exploitation of this vulnerability follows a specific attack pattern that begins with an unauthenticated HTTP request being sent to the vulnerable file-upload endpoint. This initial attack vector leverages the lack of proper authentication checks, allowing malicious actors to upload custom firmware components without requiring valid credentials or authorization. The vulnerability creates a pathway for command injection attacks that can be combined with the firmware upload capability to achieve arbitrary code execution on the target device. This combination of upload and command injection capabilities transforms a simple authentication bypass into a full compromise scenario, potentially enabling attackers to gain persistent control over the device.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass complete device compromise and potential network infiltration. Attackers who successfully exploit this vulnerability can install malicious firmware components that may persist across device reboots, providing them with long-term access to the compromised system. The arbitrary code execution capability allows for extensive control over the device's operations, potentially enabling attackers to modify video encoding parameters, access network configurations, or redirect traffic through the compromised device. This vulnerability particularly affects IoT devices in networked environments where these encoders are commonly deployed, potentially creating entry points for broader network attacks that align with tactics described in the attack framework.
This vulnerability directly maps to CWE-306, which addresses the absence of authentication for critical functions, and represents a clear violation of the principle of least privilege. The attack scenario demonstrates how insecure direct object references combined with insufficient authentication can create dangerous security gaps in embedded systems. Organizations should implement immediate mitigations including network segmentation to isolate affected devices, deployment of network access controls to restrict access to the vulnerable endpoints, and mandatory firmware updates from the vendor to address the authentication bypass. The vulnerability also aligns with ATT&CK technique T1059, which covers command and scripting interpreter usage, and T1547, which covers process injection techniques, as attackers can leverage the compromised device to execute malicious commands and establish persistence within the network infrastructure.