CVE-2025-34021: CWE-918 Server-Side Request Forgery (SSRF) in Selea Targa IP OCR-ANPR Camera
A server-side request forgery (SSRF) vulnerability exists in multiple Selea Targa IP OCR-ANPR camera models, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The application fails to validate user-supplied input in JSON POST parameters such as ipnotify_address and url, which are used by internal mechanisms to perform image fetch and DNS lookups. This allows remote unauthenticated attackers to induce the system to make arbitrary HTTP requests to internal or external systems, potentially bypassing firewall policies or conducting internal service enumeration.
AI Analysis
Technical Summary
CVE-2025-34021 is a high-severity server-side request forgery (SSRF) vulnerability affecting multiple models of Selea Targa IP OCR-ANPR cameras, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The vulnerability arises due to insufficient validation of user-supplied input in JSON POST parameters such as 'ipnotify_address' and 'url'. These parameters are used internally by the camera's software to perform image fetching and DNS lookups. Because the input is not properly sanitized or validated, an unauthenticated remote attacker can craft malicious requests that cause the camera to initiate arbitrary HTTP requests to internal or external network resources. This can lead to bypassing firewall restrictions and enable attackers to perform internal network reconnaissance or access otherwise inaccessible services. The vulnerability affects multiple firmware versions, including builds from 2019 through 2020 and CPS versions 3.x and 4.x. The CVSS 4.0 score is 7.8, indicating a high severity, with an attack vector of network, no required privileges or user interaction, and a high scope impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The underlying weakness corresponds to CWE-918 (SSRF) and CWE-20 (Improper Input Validation). Given the nature of the vulnerability, attackers can leverage it to pivot into internal networks, potentially compromising confidentiality and integrity of internal systems or disrupting availability by targeting critical internal services or infrastructure components.
Potential Impact
For European organizations deploying Selea Targa IP OCR-ANPR cameras, this SSRF vulnerability poses significant risks. These cameras are often used in critical infrastructure environments such as traffic monitoring, law enforcement, toll collection, and urban surveillance. Exploitation could allow attackers to bypass perimeter defenses and access internal networks, leading to unauthorized data access, internal service enumeration, and possibly lateral movement within the network. This could compromise sensitive data, disrupt operational technology systems, or facilitate further attacks such as ransomware or espionage. The ability to induce arbitrary HTTP requests without authentication increases the attack surface and lowers the barrier to exploitation. Given the strategic use of these cameras in public safety and transportation sectors, successful exploitation could undermine public trust and cause operational disruptions. Additionally, the vulnerability could be leveraged to map internal network topologies, aiding attackers in planning more sophisticated intrusions. The lack of user interaction and authentication requirements means attacks can be automated and launched remotely, increasing the threat level for European entities relying on these devices.
Mitigation Recommendations
Implement network segmentation to isolate Selea Targa IP OCR-ANPR cameras from critical internal systems, limiting the impact of any SSRF exploitation. Deploy strict egress filtering and firewall rules to restrict outbound HTTP requests from the cameras to only trusted and necessary endpoints, preventing arbitrary external requests. Monitor network traffic from these cameras for unusual or unexpected outbound connections, particularly to internal IP ranges or suspicious external domains. If possible, disable or restrict the functionality that uses the vulnerable JSON POST parameters ('ipnotify_address' and 'url') until a vendor patch is available. Engage with Selea to obtain firmware updates or patches addressing this vulnerability; prioritize timely deployment once available. Use web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) with SSRF detection capabilities to identify and block exploitation attempts. Conduct internal audits of all deployed Selea Targa IP OCR-ANPR camera models and firmware versions to identify affected devices and assess exposure. Implement strict input validation proxies or gateways if the cameras must interact with external services, to sanitize or block malicious requests. Educate security teams about SSRF risks and ensure incident response plans include scenarios involving IoT device exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Austria
CVE-2025-34021: CWE-918 Server-Side Request Forgery (SSRF) in Selea Targa IP OCR-ANPR Camera
Description
A server-side request forgery (SSRF) vulnerability exists in multiple Selea Targa IP OCR-ANPR camera models, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The application fails to validate user-supplied input in JSON POST parameters such as ipnotify_address and url, which are used by internal mechanisms to perform image fetch and DNS lookups. This allows remote unauthenticated attackers to induce the system to make arbitrary HTTP requests to internal or external systems, potentially bypassing firewall policies or conducting internal service enumeration.
AI-Powered Analysis
Technical Analysis
CVE-2025-34021 is a high-severity server-side request forgery (SSRF) vulnerability affecting multiple models of Selea Targa IP OCR-ANPR cameras, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The vulnerability arises due to insufficient validation of user-supplied input in JSON POST parameters such as 'ipnotify_address' and 'url'. These parameters are used internally by the camera's software to perform image fetching and DNS lookups. Because the input is not properly sanitized or validated, an unauthenticated remote attacker can craft malicious requests that cause the camera to initiate arbitrary HTTP requests to internal or external network resources. This can lead to bypassing firewall restrictions and enable attackers to perform internal network reconnaissance or access otherwise inaccessible services. The vulnerability affects multiple firmware versions, including builds from 2019 through 2020 and CPS versions 3.x and 4.x. The CVSS 4.0 score is 7.8, indicating a high severity, with an attack vector of network, no required privileges or user interaction, and a high scope impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The underlying weakness corresponds to CWE-918 (SSRF) and CWE-20 (Improper Input Validation). Given the nature of the vulnerability, attackers can leverage it to pivot into internal networks, potentially compromising confidentiality and integrity of internal systems or disrupting availability by targeting critical internal services or infrastructure components.
Potential Impact
For European organizations deploying Selea Targa IP OCR-ANPR cameras, this SSRF vulnerability poses significant risks. These cameras are often used in critical infrastructure environments such as traffic monitoring, law enforcement, toll collection, and urban surveillance. Exploitation could allow attackers to bypass perimeter defenses and access internal networks, leading to unauthorized data access, internal service enumeration, and possibly lateral movement within the network. This could compromise sensitive data, disrupt operational technology systems, or facilitate further attacks such as ransomware or espionage. The ability to induce arbitrary HTTP requests without authentication increases the attack surface and lowers the barrier to exploitation. Given the strategic use of these cameras in public safety and transportation sectors, successful exploitation could undermine public trust and cause operational disruptions. Additionally, the vulnerability could be leveraged to map internal network topologies, aiding attackers in planning more sophisticated intrusions. The lack of user interaction and authentication requirements means attacks can be automated and launched remotely, increasing the threat level for European entities relying on these devices.
Mitigation Recommendations
Implement network segmentation to isolate Selea Targa IP OCR-ANPR cameras from critical internal systems, limiting the impact of any SSRF exploitation. Deploy strict egress filtering and firewall rules to restrict outbound HTTP requests from the cameras to only trusted and necessary endpoints, preventing arbitrary external requests. Monitor network traffic from these cameras for unusual or unexpected outbound connections, particularly to internal IP ranges or suspicious external domains. If possible, disable or restrict the functionality that uses the vulnerable JSON POST parameters ('ipnotify_address' and 'url') until a vendor patch is available. Engage with Selea to obtain firmware updates or patches addressing this vulnerability; prioritize timely deployment once available. Use web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) with SSRF detection capabilities to identify and block exploitation attempts. Conduct internal audits of all deployed Selea Targa IP OCR-ANPR camera models and firmware versions to identify affected devices and assess exposure. Implement strict input validation proxies or gateways if the cameras must interact with external services, to sanitize or block malicious requests. Educate security teams about SSRF risks and ensure incident response plans include scenarios involving IoT device exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.545Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68568e82aded773421b5a84d
Added to database: 6/21/2025, 10:50:42 AM
Last enriched: 6/21/2025, 11:21:01 AM
Last updated: 8/7/2025, 8:05:58 PM
Views: 13
Related Threats
CVE-2025-20048: Escalation of Privilege in Intel(R) Trace Analyzer and Collector software
MediumCVE-2025-20037: Escalation of Privilege in Intel(R) Converged Security and Management Engine
MediumCVE-2025-20025: Denial of Service in TinyCBOR libraries maintained by Intel(R)
MediumCVE-2025-20023: Escalation of Privilege in Intel(R) Graphics Driver software installers
MediumCVE-2025-20017: Escalation of Privilege in Intel(R) oneAPI Toolkit and component software installers
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.