CVE-2020-5735 Overview
CVE-2020-5735 is a stack-based buffer overflow vulnerability affecting multiple Amcrest IP cameras and Network Video Recorder (NVR) devices. The vulnerability exists in the network service listening on port 37777, which handles device communication and management functions. An authenticated remote attacker can exploit this vulnerability to crash the affected device, causing a denial of service condition, and potentially achieve arbitrary code execution on the underlying embedded system.
This vulnerability is particularly concerning for IoT security as Amcrest cameras are widely deployed in both residential and commercial surveillance environments. The combination of network accessibility and potential for code execution makes this a significant threat to organizations relying on these devices for security monitoring.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Authenticated attackers can crash devices or potentially execute arbitrary code on vulnerable Amcrest cameras and NVRs via port 37777.
Affected Products
- Amcrest 1080-Lite 8CH NVR (firmware)
- Amcrest AMDV10814-H5 (firmware)
- Amcrest IPM-721 IP Camera (firmware)
- Amcrest IP2M-841 IP Camera (firmware)
- Amcrest IP2M-841-V3 IP Camera (firmware)
- Amcrest IP2M-853EW IP Camera (firmware)
- Amcrest IP2M-858W IP Camera (firmware)
- Amcrest IP2M-866W IP Camera (firmware)
- Amcrest IP2M-866EW IP Camera (firmware)
- Amcrest IP4M-1053EW IP Camera (firmware)
- Amcrest IP8M-2454EW IP Camera (firmware)
- Amcrest IP8M-2493EB IP Camera (firmware)
- Amcrest IP8M-2496EB IP Camera (firmware)
- Amcrest IP8M-2597E IP Camera (firmware)
- Amcrest IP8M-MB2546EW IP Camera (firmware)
- Amcrest IP8M-MT2544EW IP Camera (firmware)
- Amcrest IP8M-T2499EW IP Camera (firmware)
- Amcrest IPM-HX1 IP Camera (firmware)
Discovery Timeline
- April 8, 2020 - CVE-2020-5735 published to NVD
- October 31, 2025 - Last updated in NVD database
Technical Details for CVE-2020-5735
Vulnerability Analysis
CVE-2020-5735 is classified under CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). The vulnerability resides in the proprietary network service that listens on TCP port 37777, which is commonly used by Amcrest and Dahua-based camera systems for device management, configuration, and video streaming protocols.
The stack-based buffer overflow occurs when the service processes specially crafted network packets. Insufficient bounds checking on input data allows an attacker to write beyond the allocated stack buffer, corrupting adjacent memory including the return address. While authentication is required to trigger the vulnerability, default or weak credentials are common on these IoT devices, lowering the effective barrier to exploitation.
Successful exploitation can result in denial of service through device crashes, but more critically, an attacker may achieve arbitrary code execution. Given the embedded Linux environment typical of these devices, code execution could lead to complete device compromise, enabling attackers to access video feeds, pivot to other network resources, or incorporate the device into a botnet.
Root Cause
The root cause of this vulnerability is improper input validation in the network service handling port 37777 communications. The firmware fails to properly validate the length of user-supplied data before copying it into a fixed-size stack buffer. This classic buffer overflow pattern allows attackers to overwrite the stack frame, including saved return addresses and potentially other critical control data.
The vulnerability is exacerbated by the lack of modern exploit mitigations commonly found in embedded systems, such as stack canaries, ASLR (Address Space Layout Randomization), and non-executable stack protections, which would otherwise make exploitation more difficult.
Attack Vector
The attack is conducted over the network by sending malformed packets to port 37777 on vulnerable devices. The attacker must first authenticate to the device, though this requirement is mitigated by the prevalence of default credentials on IoT devices. Once authenticated, the attacker sends a specially crafted request containing an oversized payload that overflows the stack buffer.
The vulnerability can be triggered remotely from anywhere on the network that can reach the device on port 37777. In many deployments, these devices are exposed directly to the internet or accessible from internal networks without proper segmentation, significantly increasing the attack surface.
Detection Methods for CVE-2020-5735
Indicators of Compromise
- Unexpected device reboots or crashes of Amcrest cameras and NVRs
- Unusual network traffic patterns to/from port 37777 on affected devices
- Authentication attempts followed by device instability
- Anomalous outbound connections from camera devices indicating potential compromise
- Modified device configurations or unauthorized firmware changes
Detection Strategies
- Monitor network traffic for abnormally large packets or suspicious patterns targeting port 37777
- Implement intrusion detection rules to identify buffer overflow exploitation attempts against Amcrest device protocols
- Configure alerts for repeated authentication attempts against camera management interfaces
- Deploy network behavior analysis to detect compromised IoT devices exhibiting command-and-control communication patterns
Monitoring Recommendations
- Enable logging on network firewalls and IDS/IPS systems for all traffic to port 37777
- Implement network segmentation monitoring to detect lateral movement from IoT devices
- Establish baseline behavior for camera devices and alert on deviations
- Consider deploying dedicated IoT security monitoring solutions that can identify vulnerable firmware versions
How to Mitigate CVE-2020-5735
Immediate Actions Required
- Check the CISA Known Exploited Vulnerabilities Catalog for remediation deadlines if applicable to your organization
- Update firmware on all affected Amcrest devices to the latest available version
- Change default credentials immediately on all Amcrest cameras and NVRs
- Restrict network access to port 37777 using firewall rules to limit exposure
- Isolate IoT/camera devices on a dedicated network segment away from critical systems
Patch Information
Organizations should check the Amcrest support website for firmware updates addressing this vulnerability. Review the Tenable Security Research Report for detailed information about affected firmware versions and remediation guidance. Given that this vulnerability is listed in CISA's KEV catalog, federal agencies and organizations following CISA guidance should prioritize patching within mandated timeframes.
Workarounds
- Block or restrict access to TCP port 37777 at network perimeter and internal firewalls
- Place all affected devices behind a VPN, requiring VPN authentication before device access
- Disable remote access features if not required for operations
- Implement network access control (NAC) to limit which systems can communicate with camera devices
- Consider taking vulnerable devices offline until patches can be applied, especially if internet-exposed
# Example firewall rule to restrict port 37777 access
# Allow only from management VLAN (192.168.10.0/24) to camera subnet
iptables -A FORWARD -p tcp --dport 37777 -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 37777 -d 192.168.20.0/24 -j DROP
# Block external access to camera management port at perimeter
iptables -A INPUT -p tcp --dport 37777 -i eth0 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
