CVE-2026-42367
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of LPC2011/LPC2211 (version(s): 1.10). A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LPC2011/LPC2211 (version(s): 1.10)
LPC2011/LPC2211 - https://www.geovision.com.tw/product/GV-LPC2011
6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-522 - Insufficiently Protected Credentials
The LPC camera comes with a Web Interface that implements two levels of user access: a Guest user limited to viewing the camera feed, and an Administrator user who can fully manage the camera.
The ssi.cgi endpoint implements a server side template mechanism and the pages are reachable from the Guest user. In particular, the /ssi.cgi/UserSetting.htm can return details about users. The username and password of the Administrator user are included in the javascript of the page as an encrypted data blob. However, the decryption key is also provided, and thus it is as if the credentials were in plain text. We can how the javascript is generated :
if ( !strcmp("USER_CFG", a1) )
{
v972 = (const char *)&v969[15336];
SIiUTIL_GenKey((int)v1003);
geo_web_encrypt((const char *)v1003, (const char *)(v2 + 0x2C68), 32, (char *)&v969[15280], 80);// admin_username
geo_web_encrypt((const char *)v1003, (const char *)(v2 + 0x2CA8), 32, (char *)&v969[15300], 80);// user_username
geo_web_encrypt((const char *)v1003, (const char *)(v2 + 0xD0B0), 32, (char *)&v969[15320], 80);// ftp_server_user
geo_web_encrypt((const char *)v1003, (const char *)(v2 + 0x2C88), 32, (char *)&v969[15340], 80);// admin_password
printf("parent.SetUsrNamePwd(\"%s\",\"%s\"); ", (const char *)&v969[15280], (const char *)&v969[15340]);
printf("parent.SetDesc(\"%s\"); ", (const char *)v1003);// encryption key
printf(
"ShowUserCfg(\"%s\", \"%s\", \"%s\");",
(const char *)&v969[15280],
(const char *)&v969[15300],
(const char *)&v969[15320]);
return;
}
The code above is triggered when a local html page is accessed via the ssi.cgi endpoint and contains the <!--#include file="USER_CFG"--> tag. The UserSetting.htm page is an example of a legitimate page that uses this tag. As such, a malicious Guest user, can retrieve the /ssi.cgi/UserSetting.htm page, get the encrypted Administrator credentials from the javascript in the page, and then run the appropriate decryption algorithm to retrieve the plaintext admin credentials.
This algorithm can be obtained by reversing or emulating the ssi.cgi binary.
In practice, when accessing the /ssi.cgi/UserSetting.htm endpoint, a user can see the following javascript:
parent.SetUsrNamePwd("006ACE3FB4BD747E0AA1D23C4D2D5816539F841DDE845EBC434023B483BDF2AA","A9FDA3DBAF7834E77634EC8CFA2EB028338BAC93CEC6D5DA47BA2AD469D629E3"); parent.SetDesc("3cnicfo"); // admin credentials + encryption key
ShowUserCfg("006ACE3FB4BD747E0AA1D23C4D2D5816539F841DDE845EBC434023B483BDF2AA", "5C8D7FCEB72AD01D08C9EFCDCC9AA206AA3892E2765AFF9725253F2EC28A2014", "37CF5BEB8D9E0554A5663C18D731F1F8479C21E6D203259B4F09071A4A12B8A2");
ShowGuestCHCfg('0');ShowCheckIDCfg('0');
document.forms[0].submit.value=GetXML("IDS_VS_Button_Apply");
document.forms[1].submit.value=GetXML("IDS_VS_Button_Apply");
document.forms[2].submit.value=GetXML("IDS_VS_Button_Apply");
document.forms[3].submit.value=GetXML("IDS_VS_Button_Apply");
if (IPcamIsSupportSD == false)
{
document.getElementById('divAccountFTP_Server').style.display = "none";
}
This vulnerability can allow a Guest user to elevate their privilege to the Administrator user, change settings of the camera, and by exploiting other vulnerabilities (e.g. TALOS-2025-2326), to take over the whole camera.
2026-02-17 - Initial Vendor Contact
2026-02-24 - Vendor Disclosure
2026-04-14 - Vendor Patch Release
2026-06-15 - Public Release
Philippe Laulheret of Cisco Talos