CVE-2024-45171 is a critical vulnerability identified in the za-internet C-MOR Video Surveillance system version 5.2401, stemming from improper user input validation and broken access control in the backup file upload functionality. The system allows authenticated users, even those with low privileges, to upload arbitrary files as long as the filename contains the string '.cbkf'. This loophole permits attackers to upload malicious PHP files disguised with the '.cbkf' substring, such as 'webshell.cbkf.php'. These files are stored in the '/srv/www/backups' directory, which is accessible via the web interface at URLs like https://<HOST>/backup/upload_<FILENAME>. Because the directory is web-accessible, attackers can execute uploaded PHP webshells remotely, leading to full remote code execution on the server. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Exploitation requires authentication but no additional user interaction, and the attack surface includes any authenticated user, even those with minimal privileges, due to broken access control. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to organizations relying on this surveillance system for security monitoring.

The exploitation of CVE-2024-45171 can have severe consequences for affected organizations. Attackers gaining remote code execution can compromise the confidentiality of surveillance footage and sensitive data, manipulate or delete video records, and disrupt the availability of the surveillance system, potentially blinding physical security monitoring. The ability for low-privileged users to escalate privileges or execute arbitrary code increases the risk of lateral movement within the network, leading to broader compromise. This can result in unauthorized surveillance, data breaches, and operational downtime. Given the critical role of video surveillance in physical security, exploitation could also facilitate physical intrusions or sabotage. Organizations in sectors such as critical infrastructure, government, transportation, and large enterprises using C-MOR systems are particularly at risk. The lack of known patches or mitigations at the time of disclosure further elevates the threat level.

To mitigate CVE-2024-45171, organizations should immediately restrict access to the backup file upload functionality to only highly trusted administrators and disable it if not essential. Implement strict server-side validation to reject any uploaded files containing executable extensions or suspicious substrings like '.php' regardless of filename. Employ web application firewalls (WAFs) to detect and block attempts to upload or access malicious files in the '/srv/www/backups' directory. Monitor web server logs for unusual access patterns to backup upload URLs and uploaded filenames. Segregate the backup upload directory from the web root or configure the web server to deny execution of scripts in this directory. Enforce the principle of least privilege by reviewing user roles and removing unnecessary upload permissions from low-privileged users. Regularly audit and update the C-MOR system software and apply vendor patches once available. Consider network segmentation to isolate surveillance systems from critical infrastructure to limit lateral movement in case of compromise.