Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-15680

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-134 Utilización de formatos de cadenas de control externo
Fecha de publicación:
13/07/2026
Última modificación:
14/07/2026

Descripción

*** Pendiente de traducción *** Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.<br /> <br /> The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.

Referencias a soluciones, herramientas e información