The vulnerability CVE-2025-34021 is a server-side request forgery (SSRF) issue in multiple Selea Targa IP OCR-ANPR camera models. It stems from insufficient validation of user-controlled JSON POST parameters (ipnotify_address and url) that the device uses to perform internal HTTP requests and DNS lookups. This allows remote unauthenticated attackers to coerce the device into making arbitrary HTTP requests, potentially bypassing firewall policies or enumerating internal services. The affected versions include various firmware builds and CPS versions. The CVSS 4.0 base score is 7.8, indicating high severity. Exploitation activity was confirmed by Shadowserver Foundation on 2025-01-25. No patch or official fix is currently documented.

Successful exploitation allows unauthenticated remote attackers to make the vulnerable camera devices perform arbitrary HTTP requests to internal or external systems. This can lead to bypassing firewall restrictions and internal network service enumeration, which may facilitate further attacks or information gathering within the network environment. There is no direct evidence of further impact such as code execution or data compromise provided in the available information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is documented, it is recommended to monitor the vendor's security advisories closely. Until a fix is available, consider restricting network access to the affected devices to trusted management networks only and implement network-level controls to limit the device's ability to make arbitrary outbound HTTP requests. Avoid exposing these devices directly to untrusted networks.