CVE-2024-34896
Published: 03 February 2025
Description
An issue in Nedis SmartLife Video Doorbell (WIFICDP10GY), Nedis SmartLife IOS v1.4.0 causes users who are disconnected from a previous peer-to-peer connection with the device to still have access to live video feed.
Security Summary
CVE-2024-34896 affects the Nedis SmartLife Video Doorbell (model WIFICDP10GY) and the Nedis SmartLife iOS app version 1.4.0. The vulnerability stems from an improper handling of peer-to-peer connections, where users disconnected from a prior connection with the device retain unauthorized access to the live video feed.
Attackers can exploit this remotely over the network with low complexity, requiring no privileges, authentication, or user interaction, as indicated by the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and a base score of 7.5 (High). A remote unauthenticated adversary who previously established a peer-to-peer connection can achieve high confidentiality impact by continuing to view the live video stream without re-authenticating or reconnecting.
References for advisories and potential mitigations include the vendor site at http://nedis.com and a detailed report at https://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-359419. The CVE was published on 2025-02-03.
Details
- CWE(s)