CVE-2020-37146 Overview
CVE-2020-37146 is a configuration disclosure vulnerability affecting the ACE Security WiP-90113 HD Camera. This vulnerability allows unauthenticated remote attackers to retrieve sensitive configuration files from the device by sending a simple GET request to the /config_backup.bin endpoint. The exposed configuration backup contains credentials and system settings, potentially enabling full device compromise and unauthorized access to video feeds.
Critical Impact
Unauthenticated attackers can remotely access sensitive configuration files containing credentials and system settings, enabling device takeover and unauthorized surveillance access.
Affected Products
- ACE Security WiP-90113 HD Camera
Discovery Timeline
- 2026-02-07 - CVE CVE-2020-37146 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2020-37146
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The ACE Security WiP-90113 HD Camera exposes a sensitive administrative endpoint without requiring any authentication. The /config_backup.bin endpoint, which normally serves legitimate backup and restore functionality, lacks proper access controls and can be reached by any network-connected attacker.
The vulnerability is network-accessible and requires no user interaction or special privileges to exploit. An attacker simply needs network connectivity to the vulnerable camera to retrieve the configuration backup file. The attack complexity is low, making this vulnerability particularly dangerous in environments where IoT cameras are exposed to untrusted networks or the internet.
Root Cause
The root cause of this vulnerability is the complete absence of authentication mechanisms protecting the configuration backup endpoint. The camera's web server serves the /config_backup.bin file to any requesting client without validating credentials, session tokens, or any other form of authorization. This represents a fundamental design flaw where critical administrative functionality was deployed without access controls.
Attack Vector
The attack vector is network-based, requiring the attacker to have network access to the vulnerable camera. Exploitation is straightforward: an attacker sends an HTTP GET request to the /config_backup.bin endpoint on the target camera. The server responds with the complete configuration backup file, which typically contains administrative credentials, WiFi passwords, RTSP stream credentials, and other sensitive device settings.
Once an attacker obtains these credentials, they can gain full administrative access to the camera, view live video feeds, modify device settings, or use the compromised device as a pivot point for further network attacks. The unauthenticated nature of this vulnerability means mass scanning and exploitation of vulnerable devices is feasible.
For technical exploitation details, see the Exploit-DB #48127 entry and the VulnCheck Advisory.
Detection Methods for CVE-2020-37146
Indicators of Compromise
- HTTP GET requests to /config_backup.bin from external or unauthorized IP addresses
- Unusual download traffic patterns from camera devices to unknown destinations
- Authentication failures or unauthorized logins using credentials extracted from configuration files
- Configuration changes on camera devices without corresponding administrator activity
Detection Strategies
- Monitor network traffic for HTTP requests targeting /config_backup.bin on IoT camera subnets
- Implement intrusion detection rules to alert on unauthenticated access attempts to camera configuration endpoints
- Deploy network segmentation monitoring to detect unexpected cross-segment communication involving camera devices
- Review web server access logs on camera devices for suspicious endpoint access patterns
Monitoring Recommendations
- Isolate IoT cameras on dedicated VLANs with strict egress filtering and monitoring
- Implement network-based anomaly detection for unusual data transfers from camera devices
- Enable logging on network firewalls to capture all traffic to and from camera subnets
- Regularly audit camera device configurations for unauthorized changes
How to Mitigate CVE-2020-37146
Immediate Actions Required
- Immediately isolate affected ACE Security WiP-90113 cameras from untrusted networks and the internet
- Place cameras behind a firewall or VPN that restricts access to authorized users only
- Change all credentials stored on the device, assuming they may have been compromised
- Audit network logs for any prior unauthorized access to the /config_backup.bin endpoint
Patch Information
Consult the ACE Security Support Document for the latest firmware updates and security advisories. Contact the vendor directly to determine if a patched firmware version is available that addresses this configuration disclosure vulnerability.
Workarounds
- Deploy cameras behind a reverse proxy or firewall that blocks access to the /config_backup.bin endpoint
- Implement network-level access controls to restrict camera access to authorized management stations only
- Use a VPN to access camera administration interfaces rather than exposing them directly
- If possible, disable the web interface entirely and manage cameras through alternative secure methods
# Example firewall rule to block access to configuration endpoint (iptables)
# Replace CAMERA_IP with the actual IP address of the vulnerable camera
iptables -A FORWARD -d CAMERA_IP -p tcp --dport 80 -m string --string "/config_backup.bin" --algo bm -j DROP
# Example nginx reverse proxy configuration to block the endpoint
# location /config_backup.bin {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
