CVE-2025-63296 is a command injection vulnerability in the firmware version 33.53.87 of the KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera. The root cause lies in the device's boot and update mechanism, specifically the script /usr/sbin/anyka_service.sh, which during system startup scans any mounted TF/SD cards for a script named /mnt/update.nor.sh. If this file is present, the script copies it to /tmp/net.sh and executes it with root privileges. This behavior allows an attacker who can place a malicious script on the SD card to execute arbitrary commands as root on the device without any authentication or user interaction. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating command injection risks. The CVSS v3.1 base score is 6.5, with attack vector Network (AV:N), attack complexity Low (AC:L), no privileges required (PR:N), no user interaction (UI:N), scope unchanged (S:U), and impacts on confidentiality and integrity (C:L/I:L) but no availability impact (A:N). Although no public exploits are currently known, the vulnerability could be exploited remotely if the device’s SD card interface is accessible over the network or physically by an attacker. The lack of authentication and user interaction requirements increases the risk. This vulnerability could lead to unauthorized control over the camera, data leakage, or use of the device as a pivot point for further network attacks. The firmware does not currently have a patch available, increasing the urgency for mitigation.

For European organizations, the impact of this vulnerability can be significant, especially for those deploying KERUI K259 or similar Tuya-based smart security cameras in sensitive environments such as corporate offices, government buildings, or critical infrastructure. Exploitation could allow attackers to gain root-level control over the device, enabling them to manipulate video feeds, disable security monitoring, or use the compromised device as a foothold for lateral movement within the network. Confidentiality is at risk as attackers could intercept or alter video streams or extract sensitive information stored on the device. Integrity is also compromised due to the possibility of executing arbitrary commands, potentially altering device behavior or firmware. Although availability impact is not indicated, attackers could disrupt security operations indirectly. The medium severity score reflects a moderate but tangible risk, especially given the lack of authentication and ease of exploitation. Organizations relying on these cameras for security monitoring should consider the risk of unauthorized access and potential compliance implications under GDPR if personal data is exposed.

To mitigate CVE-2025-63296, European organizations should implement the following specific measures: 1) Physically secure devices to prevent unauthorized access to the TF/SD card slot, including tamper-evident seals or enclosures. 2) Disable or restrict the use of external SD cards if not required for normal operation. 3) Monitor device startup logs and network traffic for unusual activity indicative of unauthorized script execution. 4) Network segmentation to isolate IoT devices from critical infrastructure and sensitive data networks, limiting potential lateral movement. 5) Regularly audit and inventory all deployed KERUI K259 and Tuya-based cameras to identify vulnerable devices. 6) Engage with the vendor or firmware provider to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 7) Implement compensating controls such as endpoint detection and response (EDR) solutions that can detect anomalous behavior on IoT devices. 8) Educate staff on the risks of physical device tampering and ensure secure installation environments. These steps go beyond generic advice by focusing on physical security, network architecture, and proactive monitoring tailored to the vulnerability’s exploitation vector.