Description
Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer's report for details and workarounds.
Published: 2026-04-28
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to insert and execute arbitrary operating‑system commands on the camera device because user input is not properly validated when processed by the firmware. This weakness, identified as CWE‑78, enables full control of the affected device, leaking any stored data, tampering with configurations, and potentially allowing further lateral movement within the network.

Affected Systems

The flaw affects Hanwha Vision QND‑8080R camera systems. No specific firmware versions are listed in the vendor notice, so all releases of this product are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. EPSS information is not available, and the vulnerability is not included in CISA’s KEV catalog. Based on the description and the fact that Amazon penetration‑testing engineers discovered the issue through externally crafted requests, the likely attack vector is remote, via the camera’s network interface. An attacker who can send a request to the camera can execute arbitrary commands, although no additional prerequisites such as privilege escalation or specific configuration settings are noted in the advisory.

Generated by OpenCVE AI on April 28, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official firmware patch released by Hanwha Vision
  • Follow the vendor‑provided workaround instructions in the Camera Vulnerability Report
  • Limit exposure of the camera by restricting network access to trusted IP ranges or VLANs

Generated by OpenCVE AI on April 28, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hanwhavision
Hanwhavision qnd-8080r
Vendors & Products Hanwhavision
Hanwhavision qnd-8080r

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer's report for details and workarounds.
Title Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hanwhavision Qnd-8080r
cve-icon MITRE

Status: PUBLISHED

Assigner: Hanwha_Vision

Published:

Updated: 2026-04-28T12:35:28.059Z

Reserved: 2024-11-27T00:56:05.852Z

Link: CVE-2024-54012

cve-icon Vulnrichment

Updated: 2026-04-28T12:35:23.328Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T08:16:01.030

Modified: 2026-04-28T20:11:56.713

Link: CVE-2024-54012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses