SB2026070943 - Multiple vulnerabilities in Lorex 2K Indoor Wi-Fi Security Camera
Published: July 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Format string error (CVE-ID: N/A)
CWE-ID: CWE-134 - Use of Externally-Controlled Format String
CVSSv4: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error in the CDeviceOperator function within the parsing of JSON requests in the sonia binary. A remote attacker on the local network can supply a specially crafted input that contains format string specifiers and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Improper Certificate Validation (CVE-ID: N/A)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation within the device management functionality. A remote attacker on the local network can execute arbitrary code on the target system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.