CVE-2026-15680

Severity CVSS v4.0:
Pending analysis
Type:
CWE-134 Format String Vulnerability
Publication date:
13/07/2026
Last modified:
14/07/2026

Description

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.<br /> <br /> The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.

References to Advisories, Solutions, and Tools