Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63296

CVE-2025-63296: Kerui K259 Firmware RCE Vulnerability

CVE-2025-63296 is a remote code execution vulnerability in Kerui K259 5MP Wi-Fi Security Camera firmware that allows attackers to execute arbitrary code as root. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-63296 Overview

CVE-2025-63296 affects the KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera running firmware version 33.53.87. The device contains a code execution flaw in its boot and update logic. During startup, the /usr/sbin/anyka_service.sh script scans mounted TF/SD card storage for an update script. If /mnt/update.nor.sh exists, the service copies it to /tmp/net.sh and executes it as root. An attacker with physical access to the camera can insert a crafted SD card to run arbitrary commands with root privileges. The vulnerability maps to [CWE-77] Improper Neutralization of Special Elements used in a Command.

Critical Impact

Attackers with physical access can execute arbitrary shell commands as root by inserting an SD card containing update.nor.sh, leading to full device compromise and potential pivoting into the local network.

Affected Products

  • KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera (hardware)
  • KERUI K259 firmware version 33.53.87
  • Devices using the vulnerable anyka_service.sh boot logic

Discovery Timeline

  • 2025-11-10 - CVE-2025-63296 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-63296

Vulnerability Analysis

The KERUI K259 camera runs a Linux-based firmware built on the Anyka SoC platform. At boot, the init sequence executes /usr/sbin/anyka_service.sh as the root user. This script enumerates mounted removable storage — typically a TF/SD card — and searches for the file /mnt/update.nor.sh. When found, the script copies the file to /tmp/net.sh and invokes it directly with the shell.

Because the file is executed without integrity verification, digital signature validation, or vendor origin checks, any script content supplied on the SD card runs with full root privileges. The firmware treats the presence of the update file as sufficient authorization for command execution.

Root Cause

The root cause is a missing authenticity check on externally supplied executable content. The anyka_service.sh boot script trusts arbitrary files placed on removable media. There is no cryptographic verification, no allow-listed command set, and no confirmation that the update originated from KERUI. This design pattern maps to [CWE-77] and represents a classic insecure update mechanism in embedded IoT devices.

Attack Vector

Exploitation requires access to the camera's TF/SD card slot. An attacker prepares an SD card with a file named update.nor.sh containing arbitrary shell commands. Inserting the card and rebooting — or waiting for the update logic to run — causes the payload to execute as root. Payloads can install persistent backdoors, exfiltrate stored video, dump Wi-Fi credentials from configuration files, or pivot to devices on the same network. Public proof-of-concept material is referenced in GitHub CVE-2025-63296 Details and the associated GitHub Gist PoC Code.

Detection Methods for CVE-2025-63296

Indicators of Compromise

  • Presence of /tmp/net.sh on the camera filesystem after boot when no legitimate update was issued.
  • Unexpected update.nor.sh files on TF/SD cards used with the KERUI K259.
  • Outbound connections from the camera IP to unfamiliar hosts after an SD card insertion event.
  • Modified or newly created binaries under /usr/sbin/ or persistence entries invoking scripts from /tmp/.

Detection Strategies

  • Monitor network traffic from IoT camera VLANs for anomalous outbound sessions, DNS lookups, or reverse shell patterns.
  • Baseline expected camera-to-cloud destinations (Tuya endpoints) and alert on deviations.
  • Physically audit deployed KERUI K259 cameras for unauthorized SD cards.

Monitoring Recommendations

  • Log all DHCP leases and MAC addresses on IoT network segments to identify unexpected camera reboots or IP changes.
  • Capture NetFlow or firewall logs at the IoT segment boundary and retain them for retrospective hunting.
  • Alert on new listening ports or lateral movement attempts originating from camera IP addresses.

How to Mitigate CVE-2025-63296

Immediate Actions Required

  • Restrict physical access to deployed KERUI K259 cameras, especially the TF/SD card slot.
  • Remove any unauthorized SD cards and inspect existing cards for update.nor.sh files.
  • Isolate KERUI K259 devices on a dedicated VLAN with strict egress filtering.
  • Contact KERUI support to confirm patch availability for firmware after 33.53.87.

Patch Information

No vendor advisory or patched firmware version is listed in the NVD entry at the time of publication. Operators should monitor KERUI and Tuya channels for a firmware release that adds cryptographic validation to the update path. Until a fix is available, treat the device as physically trusted only.

Workarounds

  • Deploy the camera in tamper-resistant enclosures that block SD card slot access.
  • Place cameras behind a firewall that permits only required Tuya cloud destinations and blocks lateral traffic to internal assets.
  • Disable or physically remove the SD card slot where operationally feasible.
  • Replace affected units with cameras that implement signed firmware updates when high-assurance monitoring is required.
bash
# Example egress isolation rules for an IoT VLAN containing KERUI K259 cameras
# Adjust interface names and Tuya destination ranges to your environment
iptables -A FORWARD -i iot0 -d 10.0.0.0/8 -j DROP
iptables -A FORWARD -i iot0 -d 192.168.0.0/16 -j DROP
iptables -A FORWARD -i iot0 -d 172.16.0.0/12 -j DROP
iptables -A FORWARD -i iot0 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i iot0 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.