Description
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-20
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A vulnerability exists in the Yi Technology YI Home Camera 2 HTTP Firmware Update Handler (file home/web/ipc). The flaw allows an attacker to bypass cryptographic signature verification, enabling the delivery of malicious firmware. This compromise can lead to full system takeover, exposing the camera to arbitrary code execution and disclosure of sensitive data. The weakness is a failure of signature verification, corresponding to CWE-345 (Improper Validation of Cryptographic Signature) and CWE-347 (Use of Incorrect Key or Certificate Information).

Affected Systems

Yi Technology’s YI Home Camera 2, specifically firmware version 2.1.1_20171024151200, is affected. No other versions are listed in the CVE data.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.2, indicating critical severity. No EPSS data is available. It is not included in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw remotely via the HTTP firmware update interface; the complexity is high and exploitation is described as difficult, yet publicly available exploits may exist. The primary risk is the potential for undetected malicious firmware injection leading to remote code execution.

Generated by OpenCVE AI on March 20, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the camera firmware to the latest vendor release that addresses the signature verification flaw
  • Disable or restrict remote firmware update functionality if it is not required
  • Verify that all firmware updates are signed by the legitimate vendor before installation
  • Monitor network traffic for abnormal firmware update requests and block suspicious activity

Generated by OpenCVE AI on March 20, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Yitechnology
Yitechnology yi Home Camera
Vendors & Products Yitechnology
Yitechnology yi Home Camera

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification
Weaknesses CWE-345
CWE-347
References
Metrics cvssV2_0

{'score': 7.6, 'vector': 'AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yitechnology Yi Home Camera
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-20T15:09:05.552Z

Reserved: 2026-03-19T20:46:31.734Z

Link: CVE-2026-4478

cve-icon Vulnrichment

Updated: 2026-03-20T15:08:58.535Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T07:16:14.713

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-4478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T16:27:59Z

Weaknesses