Vista VK2 IP Camera Vulnerability – 28th November 2023
Vista has become aware of vulnerabilities within the VK2 range of IP cameras.
We are currently working extensively with the Development Team to implement firmware updates for prompt resolution.
Details are provided below, including the products of the range and how they are each affected.
VULNERABILITIES
| Description | Severity |
| 1. Ability to inject PHP and modify Admin password to gain access – via user_update.php | High |
| 2. Unsupported Web Software: PHP (PHP/7.3.7) | Medium |
| 3. Outdated Server Software: Lighttpd (/1.4.39) | Medium |
AFFECTED PRODUCTS AND VERSIONS
VK2 range cameras listed below exhibit the above issues. The latest affected firmware version is also given.
Once a firmware resolution is available for the below cameras, details of the updated version will be provided here. Please check regularly for updates to this announcement.
| Model | Last Affected Version | Fixed Version |
| VK2-HDX23IR-SMW | H_5213_PTZ_v2.6.2.enc | TBC |
| VK2-HDX20-SMW | H_5229_PTZ_v1.3.3.enc | TBC |
| VK2-4KX30IR-PM | H_7817_PTZ_v1.5.4.enc | TBC |
| VK2L-2MPBIR36 | H_1212_v1.3.4.enc | TBC |
| VK2L-2MPTIR36 | H_1212_v1.3.4.enc | TBC |
| VK2-2MPXVFDIR28V12M | H_5213_v3.7.9.enc | TBC |
| VK2-2MPXVRDIR37 | H_5213_v3.7.9.enc | TBC |
| VK2-2MPXVRDIR28V12M | H_5213_v3.7.9.enc | TBC |
| VK2-4MPXVRDIR28V12M | H_6411_v3.3.8.enc | TBC |
| VK2-4MPXBIR28V12M | H_6411_v3.3.8.enc | TBC |
| VK2-4KXVRDIR36V11M | H_7816_v2.0.1.enc | TBC |
| VK2-12MP360EXTIR | H_7817_Fisheye_v1.5.4.enc | TBC |
All remaining Vista IP cameras of the VK2 range, essentially those not listed above, exhibit vulnerabilities numbered 2 to 3 only.
Note: they do not exhibit issue 1. inject PHP and modify Admin password to gain access.
These remaining VK2 cameras use older unsupported SOC hardware (System On a Chip) and are no longer supported with later firmware updates.
RECOMMENDATIONS – Recommendations are provided below to minimise impact – these also being “best practices” for any CCTV deployment.
- Provide a dedicated VLAN/Ethernet network for all CCTV devices so as to be separate from the corporate or customers LAN.
- Where connectivity between the networks is required, provide a firewall with relevant firewall rules and policies to block all unnecessary source IP addresses and ports.
- Apply IP whitelists to CCTV devices, such as cameras, to permit only those source IP addresses permitted access i.e. NVR recorder, engineering LAN etc.
- Make use of HTTPS on any CCTV device, where possible, for web login access.
- Ensure admin passwords are changed from their default and to something strong.
Please revisit this page to keep updated on firmware resolutions.
