Austrian cybersecurity firm SEC Consult discovered a series of vulnerabilities that affect thermal cameras produced by Infiray. The cameras, model IRAY-A8Z3, are vulnerable to multiple attack vectors that could result in remote code execution (RCE). SEC Consult released details of the vulnerabilities in the Tuesday advisory, stating that the flaws were due to insecure coding practices, poor configuration, and outdated software. Infiray is a Chinese manufacturer of optical components specializing in infrared and thermal imaging solutions.
Products produced by Infiray are sold in 89 countries and regions across the world, resulting in a broad reach of its products. SEC says that this means the flaws could act as an entry point into industrial control systems and supervisory control networks. The accounts controlling the cameras cannot be deactivated nor have their passwords changed they are considered to be backdoor accounts that could grant attackers access to a broader system. The cameras’ web server interface also contains an endpoint that can execute arbitrary commands, which presents another risk given the flaws.
Read More: Vulnerabilities Targeting InfiRay Thermal Cameras May Result in Industrial Process Hacking