CVE-2024-22028 is a medium-severity vulnerability affecting the 3R-TMC01 thermal camera series produced by THREE R SOLUTION CORP. JAPAN. The vulnerability stems from insufficient verification of data authenticity and inadequate technical documentation regarding the internal data storage of these devices. Specifically, all firmware versions of the TMC series thermal cameras do not properly inform users about the presence and nature of internally saved data. This lack of transparency combined with insufficient security controls allows an attacker with physical access to the device to retrieve sensitive internal data stored within the camera. The vulnerability does not require any authentication or user interaction, but physical access is mandatory. The CVSS 3.1 base score is 4.6, reflecting a medium severity rating primarily due to the requirement for physical access (Attack Vector: Physical) and the impact being limited to confidentiality (high confidentiality impact, no integrity or availability impact). The vulnerability does not appear to have known exploits in the wild yet, and no patches or firmware updates have been published at the time of disclosure. The core technical issue is the lack of proper data authenticity verification and insufficient documentation, which could lead to unauthorized data disclosure if the device is physically compromised.

For European organizations, the primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data stored internally on the 3R-TMC01 thermal cameras. These devices may be used in critical infrastructure monitoring, industrial environments, or security-sensitive locations. If an attacker gains physical access to the device, they could extract confidential thermal imaging data or other internal information, potentially exposing operational details or sensitive environmental conditions. This could lead to privacy violations, industrial espionage, or compromise of security monitoring capabilities. While the vulnerability does not allow remote exploitation or disruption of device functionality, the confidentiality breach risk is significant in environments where physical security is not tightly controlled. Organizations relying on these thermal cameras for security or operational monitoring should be aware that physical device theft or tampering could lead to data leakage. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data disclosure can lead to regulatory penalties and reputational damage.

To mitigate this vulnerability, European organizations should implement strict physical security controls to prevent unauthorized access to the 3R-TMC01 devices, including secure mounting, restricted access areas, and surveillance. Until official patches or firmware updates are released by THREE R SOLUTION CORP., organizations should inventory all affected devices and assess the sensitivity of the data stored on them. If possible, disable or limit internal data storage features or encrypt stored data using external means. Additionally, organizations should request detailed technical documentation and security guidance from the vendor to understand the data storage mechanisms and potential risks. Regular physical inspections and tamper-evident seals can help detect unauthorized access attempts. For high-risk environments, consider replacing affected devices with alternatives that provide stronger data protection and transparency. Finally, maintain an incident response plan that includes procedures for physical device compromise and data leakage scenarios.