CVE-2025-63296 is a firmware vulnerability identified in the KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera, specifically in firmware version 33.53.87. The root cause lies in the device's boot and update process, where the startup script /usr/sbin/anyka_service.sh scans all mounted TF/SD cards for the presence of a file named /mnt/update.nor.sh. If this file exists, the script copies it to /tmp/net.sh and executes it with root privileges. This behavior allows an attacker to achieve arbitrary code execution as root by placing a malicious update.nor.sh script on a removable storage device that the camera mounts during boot. The vulnerability does not require network access or authentication but does require physical access to the device's storage or the ability to insert a compromised SD card. This flaw could be exploited to install persistent malware, manipulate camera functionality, or pivot into connected networks. No CVSS score has been assigned yet, and no public exploits are reported. The vulnerability highlights insecure update mechanisms and lack of validation or authentication of update scripts on removable media.

For European organizations, this vulnerability could lead to severe consequences including unauthorized remote control of security cameras, exposure of sensitive video feeds, and potential lateral movement into corporate or critical infrastructure networks. The ability to execute arbitrary code as root compromises the device's integrity and availability, potentially allowing attackers to disable security monitoring or use the device as a foothold for further attacks. Organizations relying on these cameras for physical security or surveillance in sensitive environments such as government facilities, transportation hubs, or industrial sites face heightened risks. The confidentiality of monitored areas could be breached, and operational disruptions could occur if cameras are disabled or manipulated. Given the widespread use of Tuya-based IoT devices in Europe, the vulnerability could have broad implications if exploited at scale.

Immediate mitigation steps include physically securing devices to prevent unauthorized access to their storage media and disabling or restricting the execution of scripts from removable media if possible. Organizations should monitor for firmware updates from KERUI or Tuya addressing this vulnerability and apply patches promptly once available. Network segmentation of IoT devices, including security cameras, can limit the impact of a compromised device. Additionally, deploying endpoint detection and response (EDR) solutions capable of monitoring unusual process executions on IoT management platforms may help detect exploitation attempts. Vendors and integrators should review and harden update mechanisms to require cryptographic validation of update scripts and prevent execution of unauthorized code. Regular audits of device configurations and physical security controls are also recommended to reduce risk.