Description
Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from older cloud feature modules in the EZVIZ app that expose legacy API interfaces without proper encryption. Attackers can intercept network traffic to capture data transmitted by these modules, potentially revealing sensitive information. This issue represents a confidentiality risk due to clear‑text data transmission, aligning with CWE‑312.

Affected Systems

Older versions of the EZVIZ app, which incorporate legacy cloud feature modules with unencrypted interfaces, are affected. The specific versions are not enumerated in the advisory, but any app build employing these older modules may be vulnerable.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is rated as moderate in severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need network access to eavesdrop on traffic; authentication is not required. The primary exploit path involves intercepting unencrypted API requests, allowing passive data capture without active intrusion.

Generated by OpenCVE AI on May 9, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EZVIZ app to the latest version that uses encrypted video transmission protocols.
  • Enable the video encryption feature within the app settings after updating.
  • Verify that network traffic to the cloud services is now encrypted by monitoring packet captures or using a network intrusion detection tool.
  • Maintain awareness of future security advisories for EZVIZ products and apply patches promptly.

Generated by OpenCVE AI on May 9, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Unencrypted Legacy API in EZVIZ App Enables Data Eavesdropping
Weaknesses CWE-312

Sat, 09 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hikvision

Published:

Updated: 2026-05-09T08:29:09.821Z

Reserved: 2026-03-13T07:45:08.744Z

Link: CVE-2026-32683

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T09:16:08.973

Modified: 2026-05-09T09:16:08.973

Link: CVE-2026-32683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T10:30:31Z

Weaknesses