CVE-2026-15680 in 2K Indoor Wi-Fi Security Camerainfo

Summary

by MITRE • 07/14/2026

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability represents a critical format string flaw in the Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator component that enables remote code execution without authentication requirements. The vulnerability resides within the sonia binary's handling of JSON requests where user-supplied input is improperly validated before being used as a format specifier. This class of vulnerability maps directly to CWE-134 which specifically addresses the use of user-controlled format strings in functions like printf or sprintf without proper sanitization. The security implications are severe as attackers can craft malicious JSON payloads that, when processed by the vulnerable binary, trigger arbitrary code execution with root privileges.

The technical exploitation mechanism leverages the improper validation of user-supplied strings within the JSON parsing logic of the sonia binary. When the system processes incoming JSON requests containing specially crafted format specifiers, it fails to sanitize these inputs before passing them to formatting functions. This allows attackers to inject malicious format string sequences that can manipulate the program's execution flow and ultimately execute arbitrary code with elevated privileges. The vulnerability's accessibility is particularly concerning as it requires no authentication, making it exploitable by network-adjacent attackers who can simply send crafted requests to the device's API endpoints. This aligns with ATT&CK technique T1210 which describes exploitation of remote services to gain system access.

The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and potential lateral movement within network environments. Security cameras are often deployed in sensitive locations where they serve as surveillance points, making them attractive targets for attackers seeking persistent access or data exfiltration capabilities. Successful exploitation allows attackers to gain root-level control over the camera's operating system, potentially enabling them to install backdoors, modify surveillance footage, or use the device as a pivot point for attacking other networked systems. The vulnerability's classification as remote code execution without authentication makes it particularly dangerous in enterprise environments where security cameras may be accessible from multiple network segments. Organizations should consider implementing network segmentation controls and monitoring for unusual API traffic patterns to detect potential exploitation attempts.

Mitigation strategies should focus on immediate firmware updates from Lorex to address the underlying format string vulnerability, though organizations lacking access to official patches should consider network-level restrictions to limit access to camera APIs. The principle of least privilege should be enforced by restricting network access to these devices and implementing proper firewall rules that only allow necessary traffic. Additionally, continuous monitoring of network traffic for malformed JSON requests or suspicious API calls can help detect exploitation attempts. Organizations should also implement regular vulnerability assessments targeting IoT devices in their networks and maintain updated inventories of all connected security cameras to ensure timely patching of similar vulnerabilities across their infrastructure.

Responsible

Zdi

Reservation

07/13/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!