SB2026070943 - Multiple vulnerabilities in Lorex 2K Indoor Wi-Fi Security Camera



SB2026070943 - Multiple vulnerabilities in Lorex 2K Indoor Wi-Fi Security Camera

Published: July 9, 2026

Security Bulletin ID SB2026070943
CSH Severity
Medium
Patch available
NO
Number of vulnerabilities 2
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Format string error (CVE-ID: N/A)

CWE-ID: CWE-134 - Use of Externally-Controlled Format String

CVSSv4: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error in the CDeviceOperator function within the parsing of JSON requests in the sonia binary. A remote attacker on the local network can supply a specially crafted input that contains format string specifiers and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Improper Certificate Validation (CVE-ID: N/A)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation within the device management functionality. A remote attacker on the local network can execute arbitrary code on the target system.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.