CVE-2025-25680
Published: 11 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-25680, published on 2025-03-11, is a remote code execution (RCE) vulnerability in the LSC Smart Connect LSC Indoor PTZ Camera version 7.6.32. The issue affects the tuya_ipc_direct_connect function within the anyka_ipc process, classified under CWE-94 (Improper Control of Generation of Code). It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L). The vulnerability enables arbitrary code execution through the Wi-Fi configuration process when a specially crafted QR code is presented to the camera.
An unauthenticated attacker (PR:N) can exploit this over a network vector (AV:N), though it requires high attack complexity (AC:H) and no specific user interaction (UI:N). By presenting the malicious QR code during the camera's Wi-Fi setup, the attacker achieves arbitrary code execution on the device, resulting in high confidentiality and integrity impacts (C:H/I:H) and low availability impact (A:L).
References for CVE-2025-25680 include two GitHub repositories from Yasha-ops: https://github.com/Yasha-ops/LSC_Indoor_PTZ_Camera-RCE, focused on the LSC Indoor PTZ Camera RCE, and https://github.com/Yasha-ops/vulnerability-research/tree/master/CVE-2025-25680, part of a vulnerability research tree. These sources provide details on the issue but do not specify official advisories, patches, or mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
RCE vulnerability in network-accessible camera process (tuya_ipc_direct_connect) via crafted QR code input during setup directly enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1059.004 (Unix Shell) for arbitrary command execution on the embedded Linux-based device.