CVE-2024-58336 is a vulnerability identified in Akuvox Smart Doorphone devices, specifically models S539, S532, X916, X915, and X912. The issue arises from a missing authentication mechanism on the video.cgi endpoint, which listens on port 8080. This endpoint streams live video feeds from the device's camera. Due to the lack of authentication, any remote attacker with network access to the device can request this endpoint and retrieve live video streams without needing credentials or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality heavily (VC:H) while not affecting integrity or availability. This means attackers can spy on live video feeds, potentially capturing sensitive information about premises and occupants. The vulnerability does not require any complex attack vectors or social engineering, making it straightforward to exploit if the device is exposed to untrusted networks. Akuvox devices are commonly used in commercial and residential buildings for intercom and access control, meaning the exposure of live video streams can lead to privacy violations, corporate espionage, or physical security risks. Although no public exploits are currently known, the high CVSS score of 8.7 reflects the critical nature of the flaw. The lack of available patches at the time of publication necessitates immediate compensating controls to reduce exposure.

For European organizations, the impact of CVE-2024-58336 is significant. Unauthorized access to live video streams can lead to severe privacy breaches, exposing sensitive information about building occupants, security protocols, and physical layouts. This can facilitate targeted physical intrusions, espionage, or harassment. Organizations relying on Akuvox devices for secure communication and access control may find their security posture severely weakened. Critical infrastructure facilities, government buildings, corporate offices, and residential complexes using these devices are at risk. The breach of confidentiality can also result in regulatory non-compliance under GDPR, leading to legal and financial repercussions. The ease of exploitation means attackers can operate remotely without detection, increasing the likelihood of successful attacks. The reputational damage from such privacy violations can be substantial, especially for organizations handling sensitive or classified information.

1. Immediately restrict network access to Akuvox devices by implementing firewall rules that limit access to trusted internal IP ranges only, blocking all external or untrusted network traffic to port 8080. 2. Segment the network to isolate IoT and smart device traffic from critical business systems and sensitive data environments. 3. Monitor network traffic and device logs for unusual or unauthorized access attempts to the video.cgi endpoint. 4. Engage with Akuvox or authorized vendors to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 5. If firmware updates are not yet available, consider disabling or blocking the video streaming service on the device if possible. 6. Conduct regular security assessments of all smart building devices to identify and remediate similar vulnerabilities proactively. 7. Educate facility management and IT teams about the risks of exposed IoT devices and enforce strict device configuration and access policies.