Description
Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability comes from older cloud feature modules in the EZVIZ app that expose legacy API interfaces without encryption. This allows attackers to capture the data transmitted through these interfaces, potentially revealing sensitive information. The issue aligns with CWE‑319 (Improper Handling of Sensitive Information).

Affected Systems

All versions of the EZVIZ app that incorporate legacy cloud feature modules are affected. The advisory does not list specific version numbers, so any build using these older modules may be vulnerable.

Risk and Exploitability

The CVSS score of 5.3 rates the vulnerability as moderate. The EPSS score is < 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. An attacker would need access to the network environment in order to intercept unencrypted API traffic, thereby capturing data in transit. Based on the description, it is inferred that no user authentication is required because the flaw involves passive interception of data rather than active exploitation.

Generated by OpenCVE AI on May 13, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EZVIZ app to the latest release that encrypts cloud data transmissions.
  • Enable the video encryption feature in the app settings after upgrading.
  • Verify that traffic to EZVIZ cloud services is encrypted by inspecting network packets for evidence of encryption.
  • Monitor for future EZVIZ security advisories and apply updates promptly.

Generated by OpenCVE AI on May 13, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 02:45:00 +0000

Type Values Removed Values Added
Title Unencrypted Legacy API Enables Data Capture in EZVIZ App

Wed, 13 May 2026 01:45:00 +0000

Type Values Removed Values Added
Title Unencrypted Legacy API in EZVIZ App Enables Data Eavesdropping
Weaknesses CWE-312

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ezviz
Ezviz ezviz App
Vendors & Products Ezviz
Ezviz ezviz App

Sat, 09 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Unencrypted Legacy API in EZVIZ App Enables Data Eavesdropping
Weaknesses CWE-312

Sat, 09 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ezviz Ezviz App
cve-icon MITRE

Status: PUBLISHED

Assigner: hikvision

Published:

Updated: 2026-05-12T22:31:10.618Z

Reserved: 2026-03-13T07:45:08.744Z

Link: CVE-2026-32683

cve-icon Vulnrichment

Updated: 2026-05-11T17:29:25.229Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-09T09:16:08.973

Modified: 2026-05-12T23:16:16.940

Link: CVE-2026-32683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T02:30:16Z

Weaknesses