CVE-2024-45170 affects the za-internet C-MOR Video Surveillance system version 5.2401. The root cause is a failure to enforce proper access control on the server side for administrative functions exposed via the web interface. While the web application’s user interface restricts certain functions to administrative users, these restrictions are only implemented client-side and not validated on the server. Consequently, low privileged users can craft and send HTTP requests directly to the web server to invoke administrative operations such as downloading backup files or changing configuration settings. This vulnerability represents a classic case of improper access control (CWE-284), where authorization checks are insufficient or missing on the server. The exploit requires only low privilege access and no user interaction, making it relatively easy to abuse remotely over the network. The vulnerability was published on September 4, 2024, and carries a CVSS 3.1 score of 8.1, reflecting high impact on confidentiality and integrity but no impact on availability. No patches or known exploits have been reported yet, but the risk is substantial given the sensitive nature of video surveillance data and system configurations.

The primary impact of CVE-2024-45170 is unauthorized access to sensitive administrative functions of the C-MOR Video Surveillance system. Attackers with low privileged accounts can escalate their privileges to perform administrative tasks, including downloading backup files that may contain sensitive video footage or system data, and altering configuration settings that could disrupt surveillance operations or weaken security controls. This breach of confidentiality and integrity can lead to privacy violations, data leakage, and potential sabotage of surveillance infrastructure. Organizations relying on this system for security monitoring, especially critical infrastructure, government facilities, or corporate environments, face increased risk of espionage, data theft, and operational disruption. Since the vulnerability can be exploited remotely without user interaction, it broadens the attack surface and increases the likelihood of compromise if the system is exposed to untrusted networks.

To mitigate CVE-2024-45170, organizations should first restrict network access to the C-MOR web interface to trusted internal networks or VPNs to reduce exposure. Implement strict network segmentation and firewall rules to limit access to the surveillance system. Conduct a thorough review of user privileges and remove unnecessary low privileged accounts that have web interface access. Monitor web server logs for unusual HTTP requests that attempt to access administrative functions. If possible, disable or restrict backup file downloads and configuration changes via the web interface until a vendor patch is available. Engage with the vendor to obtain patches or updates that enforce server-side authorization checks. As a temporary workaround, consider deploying a web application firewall (WAF) with custom rules to detect and block unauthorized administrative HTTP requests. Regularly audit and update credentials and ensure strong authentication mechanisms are in place. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.