CVE-2026-2985 is a server-side request forgery vulnerability identified in Tiandy Video Surveillance System version 7.17.0. The flaw exists in the downloadImage function located in the CLSBODownLoad.java file, where the urlPath parameter is insufficiently validated. This allows an attacker to manipulate the argument to coerce the server into sending arbitrary HTTP requests to internal or external network resources. SSRF vulnerabilities can be leveraged to bypass firewall restrictions, access internal services, or perform reconnaissance within private networks. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing its exploitation potential. The vendor was notified early but has not issued any patch or mitigation guidance, and a public exploit is available, raising the risk of active exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability, resulting in a medium severity rating of 5.3. The lack of vendor response and patch availability means organizations must rely on compensating controls until an official fix is released.

The primary impact of this SSRF vulnerability is that attackers can leverage the compromised Tiandy Video Surveillance System to make unauthorized requests from the server to internal or external systems. This can lead to unauthorized internal network reconnaissance, potentially exposing sensitive internal services or data. Attackers might also use this to access metadata services, internal APIs, or pivot to other systems within the network. Although the direct impact on confidentiality, integrity, and availability is limited, the SSRF can serve as a stepping stone for more severe attacks such as data exfiltration, lateral movement, or launching further exploits against internal infrastructure. Organizations relying on Tiandy surveillance systems may face increased risk of network compromise, especially if these devices are exposed to the internet or poorly segmented. The absence of vendor patches and public exploit availability heightens the urgency for mitigation.

1. Implement strict network segmentation and firewall rules to restrict outbound HTTP/HTTPS requests from the Tiandy Video Surveillance System to only trusted destinations. 2. Use network monitoring and intrusion detection systems to detect anomalous outbound requests originating from the surveillance system. 3. If possible, disable or restrict the downloadImage functionality until a vendor patch is available. 4. Employ web application firewalls (WAFs) or reverse proxies that can filter and validate incoming requests to the vulnerable endpoint to block malicious urlPath parameters. 5. Regularly audit and monitor logs for unusual access patterns or unexpected internal resource requests. 6. Engage with the vendor for updates and patches, and consider alternative solutions if no remediation is forthcoming. 7. Limit exposure by placing the surveillance system behind VPNs or internal-only networks rather than directly accessible from the internet. 8. Maintain an inventory of all Tiandy devices and their firmware versions to prioritize patching once available.