CVE-2025-9381 in Y215 CCTV Camera
Summary
by MITRE • 08/24/2025
A security flaw has been discovered in FNKvision Y215 CCTV Camera 10.194.120.40. This affects an unknown part of the file /tmp/wpa_supplicant.conf. Performing manipulation results in information disclosure. The attack may be carried out on the physical device. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/24/2025
The vulnerability identified as CVE-2025-9381 represents a critical security flaw in the FNKvision Y215 CCTV camera firmware version 10.194.120.40. This device, designed for network video surveillance, contains a sensitive configuration file located at /tmp/wpa_supplicant.conf that exposes sensitive information through improper access controls. The flaw resides in the camera's handling of wireless network authentication parameters, which are stored in plaintext within the temporary filesystem. This represents a direct violation of security best practices and creates a significant attack surface for malicious actors seeking to compromise the surveillance infrastructure. The vulnerability's classification as a high-complexity attack indicates that while exploitation requires substantial technical expertise, the potential impact is severe given the nature of surveillance equipment.
The technical implementation of this flaw involves the insecure storage of wireless network credentials and authentication parameters within the /tmp directory, which is typically a temporary filesystem that may be accessible through various attack vectors. The wpa_supplicant.conf file contains critical information including network SSIDs, passwords, and authentication keys that are essential for wireless connectivity. When this file is improperly protected or accessible to unauthorized users, it creates a persistent information disclosure vulnerability that can be exploited by attackers with physical access to the device. This aligns with CWE-312 (Cleartext Storage of Sensitive Information) and CWE-200 (Information Disclosure) classifications, demonstrating how poor cryptographic practices and inadequate file permissions can lead to severe security consequences.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables attackers to gain unauthorized access to the surveillance network and potentially compromise the entire security infrastructure. Physical access to the device, while requiring an attacker to be in close proximity, is often achievable in environments where security controls are weak or non-existent. This vulnerability could allow attackers to establish persistent access points, monitor network traffic, or even manipulate video feeds and recording capabilities. The fact that this exploit has been publicly released indicates that the attack methodology is well-documented and readily available to malicious actors, increasing the risk to organizations that have not yet patched or mitigated this issue. The ATT&CK framework would categorize this under T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) as attackers could potentially use stolen credentials to pivot through network infrastructure, and T1005 (Data from Local System) for information extraction.
Mitigation strategies for CVE-2025-9381 should prioritize immediate firmware updates from the vendor, although the lack of vendor response suggests that organizations may need to implement temporary workarounds. Physical security measures including device locking, restricted access controls, and network segmentation should be implemented to limit potential attack surfaces. Organizations should also consider implementing network monitoring to detect unusual authentication patterns or unauthorized access attempts. The remediation process should include secure configuration of the wpa_supplicant.conf file with appropriate file permissions and encryption of stored credentials. Additionally, regular security assessments of networked devices, particularly those in surveillance environments, should be conducted to identify similar vulnerabilities. The absence of vendor response underscores the importance of maintaining independent security research and community-driven vulnerability disclosure processes, as well as the need for organizations to have contingency plans when vendors fail to respond to critical security issues.