Description
Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including usernames, passwords, and DNS settings.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a directory traversal flaw in the getadslattr.cgi endpoint of Hisilicon HiIpcam V100R003. An unauthenticated attacker can craft URLs that traverse outside the intended directory and read files within the cgi-bin folder. The flaw enables the retrieval of sensitive assets including ADSL credentials, network configuration, usernames, passwords, and DNS settings, leading to confidentiality loss. The weakness aligns with CWE‑260 as described in the advisory, highlighting exposure of credential information.

Affected Systems

Affected systems are devices running the Hisilicon HiIpcam V100R003 firmware. No granular version list is supplied; any installation of this product is presumed vulnerable until verified otherwise.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. EPSS is below 1%, so exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only unauthenticated HTTP access to the device, so the attack vector is network‑based. The attacker needs only to send a crafted GET request to the vulnerable endpoint; no authentication or additional privileges are needed. Consequently, any network‑exposed device presents a high risk until mitigated.

Generated by OpenCVE AI on March 17, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the firmware version of your Hisilicon HiIpcam device to confirm it is V100R003.
  • Obtain the latest firmware upgrade from the vendor and apply it as soon as possible.
  • If a patch is not yet available, restrict external access to the device by configuring firewall rules or removing the cgi-bin directory from the web root.
  • Disable the getadslattr.cgi endpoint if possible or rotate all exposed credentials.
  • Regularly monitor device logs for unauthorized access attempts and maintain updated backups.

Generated by OpenCVE AI on March 17, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hisilicon
Hisilicon hiipcam
Vendors & Products Hisilicon
Hisilicon hiipcam

Wed, 11 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including usernames, passwords, and DNS settings.
Title Hisilicon HiIpcam V100R003 Information Disclosure via Directory Traversal
Weaknesses CWE-260
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hisilicon Hiipcam
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-11T21:45:48.973Z

Reserved: 2026-02-22T14:03:56.966Z

Link: CVE-2019-25465

cve-icon Vulnrichment

Updated: 2026-03-11T19:23:09.062Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T19:15:59.650

Modified: 2026-03-12T21:08:22.643

Link: CVE-2019-25465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:53Z

Weaknesses