CVE-2025-34021 is a server-side request forgery (SSRF) vulnerability identified in multiple Selea Targa IP OCR-ANPR camera models, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The vulnerability stems from the failure of the device's application to properly validate user-supplied input in JSON POST parameters such as ipnotify_address and url. These parameters are used internally by the device to perform HTTP image fetches and DNS lookups. An attacker can exploit this by sending crafted HTTP POST requests with malicious values in these parameters, causing the device to make arbitrary HTTP requests to internal or external network resources. This can lead to bypassing firewall policies, enabling attackers to access internal services that are otherwise inaccessible externally, and facilitating internal network reconnaissance or service enumeration. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N) reflects network attack vector, low complexity, no privileges or user interaction needed, and high scope impact due to potential internal network access. Exploitation evidence was observed by the Shadowserver Foundation on January 25, 2025, indicating active scanning or attempted exploitation in the wild, though no confirmed widespread attacks have been reported. Affected firmware versions span multiple builds from late 2019 through 2020 and early 2021, indicating a broad exposure across deployed devices. The vulnerability is classified under CWE-918 (SSRF) and CWE-20 (Improper Input Validation). No official patches have been linked yet, emphasizing the need for interim mitigations.

For European organizations, particularly those deploying Selea Targa IP OCR-ANPR cameras in critical infrastructure, law enforcement, transportation, or border security, this SSRF vulnerability poses significant risks. Exploitation can allow attackers to pivot from the exposed camera devices into internal networks, bypassing perimeter defenses and firewall rules. This can lead to unauthorized access to sensitive internal services, data exfiltration, or further lateral movement within the network. Given the cameras' role in surveillance and security, compromise could also undermine physical security monitoring and incident response capabilities. The ability to induce arbitrary HTTP requests without authentication increases the attack surface, especially in environments where these devices are internet-facing or poorly segmented. Additionally, attackers could use the vulnerability to perform internal service enumeration, aiding in more targeted attacks. The impact on confidentiality and integrity is high, while availability impact is moderate but could escalate if attackers leverage the vulnerability for denial-of-service or further exploitation. The vulnerability's exploitation could also damage organizational reputation and compliance posture under European data protection regulations if surveillance data or internal network information is exposed.

1. Network Segmentation: Isolate Selea Targa IP OCR-ANPR cameras on dedicated VLANs or network segments with strict access controls to limit their ability to reach sensitive internal resources. 2. Firewall Rules: Implement egress filtering on camera network segments to restrict outbound HTTP requests only to trusted endpoints, blocking arbitrary external or internal requests. 3. Access Controls: Restrict management interfaces of the cameras to trusted administrative networks and IP addresses to prevent unauthorized access. 4. Monitoring and Logging: Enable detailed logging of HTTP requests initiated by the cameras and monitor for unusual or unexpected outbound connections indicative of SSRF exploitation attempts. 5. Vendor Coordination: Engage with Selea to obtain firmware updates or patches addressing the SSRF vulnerability and apply them promptly once available. 6. Input Validation Proxy: Where possible, deploy application-layer proxies or web application firewalls (WAFs) that can inspect and sanitize JSON POST parameters sent to the cameras. 7. Incident Response Preparedness: Develop and rehearse incident response plans specific to IoT device compromise scenarios, including containment and forensic analysis. 8. Inventory and Asset Management: Maintain an accurate inventory of all Selea camera models and firmware versions deployed to prioritize patching and mitigation efforts. 9. Disable Unused Features: If feasible, disable or restrict features that utilize the vulnerable JSON parameters (ipnotify_address, url) to reduce attack surface. 10. Regular Security Assessments: Conduct periodic penetration testing and vulnerability scanning focused on IoT devices to detect exploitation attempts early.