Description
Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds
Published: 2026-04-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access through Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

Penetration testers have uncovered a flaw in the request handling of the QND-8080R camera’s web server component that can allow an attacker to bypass normal authentication checks and call protected functions. The vulnerability is a classic example of an authentication bypass (CWE‑306), which could let an unauthenticated user control camera settings or access sensitive data without authorization.

Affected Systems

Hanwha Vision’s QND‑8080R network cameras are affected. The vulnerability exists in the web server firmware that is shipped with these devices, and any device running the unpatched firmware is at risk. The vendor has released a firmware update to address the issue; specific firmware version numbers are not listed in the CVE data.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity flaw, and the lack of an EPSS score means the current exploitation likelihood is unspecified. The vulnerability is not listed in the CISA KEV catalog, but it can be exploited remotely by any host that can reach the camera’s HTTP/HTTPS interface. The likely attack vector is remote exploitation via the camera’s web interface, as the flaw resides in the web server component.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware patch from Hanwha Vision for the QND-8080R camera.
  • Limit remote access to the camera’s web interface by configuring firewall rules or network segmentation to allow only trusted administrators.
  • Disable the web interface on the camera if it is not required for operation and ensure that the device is not exposed to the public internet.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hanwhavision
Hanwhavision qnd-8080r
Vendors & Products Hanwhavision
Hanwhavision qnd-8080r

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds
Title Authentication Bypass
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hanwhavision Qnd-8080r
cve-icon MITRE

Status: PUBLISHED

Assigner: Hanwha_Vision

Published:

Updated: 2026-04-28T12:34:26.408Z

Reserved: 2024-11-27T00:56:05.852Z

Link: CVE-2024-54013

cve-icon Vulnrichment

Updated: 2026-04-28T12:34:20.190Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T08:16:01.147

Modified: 2026-04-28T20:11:56.713

Link: CVE-2024-54013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses