CVE-2024-56897

CVE-2024-56897 is an improper access control vulnerability (CWE-434) in the HTTP server of YI Car Dashcam firmware version 3.88. The flaw enables unrestricted file downloads and uploads, as well as execution of arbitrary API commands without authentication. These API commands allow unauthorized modifications to device settings, such as disabling recording, disabling sounds, and initiating a factory reset. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

Remote attackers with network access to the device can exploit this vulnerability with low complexity and no required privileges or user interaction. Successful exploitation grants full control over file operations, potentially exposing sensitive data like video recordings through downloads or introducing malware via uploads. Attackers can also disrupt device functionality by altering settings, rendering the dashcam inoperable for surveillance or evidence collection.

Mitigation details are outlined in researcher disclosures, including the Medium article at https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-39304a4b21b4 and the GitHub repository https://github.com/geo-chen/YI-Smart-Dashcam/, which provide proof-of-concept code and analysis. The product page at https://yitechnology.com.sg/products/dash-camera/ offers device information, though no official patches are referenced in the CVE details. Security practitioners should isolate affected devices and monitor for firmware updates from YI Technology.