CVE-2026-2985 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in Tiandy Video Surveillance System (视频监控平台) version 7.17.0. This security flaw impacts the downloadImage function located in the file /com/tiandy/easy7/core/bo/CLSBODownLoad.java. By manipulating the urlPath argument, an attacker can perform SSRF attacks to access internal resources, scan internal networks, or potentially interact with other internal services that should not be publicly accessible.
Critical Impact
Remote attackers with low privileges can exploit this SSRF vulnerability to make arbitrary requests from the vulnerable server, potentially accessing internal resources, exfiltrating sensitive data, or pivoting to attack other internal systems.
Affected Products
- Tiandy Video Surveillance System (视频监控平台) 7.17.0
- CLSBODownLoad.java downloadImage function
Discovery Timeline
- February 23, 2026 - CVE-2026-2985 published to NVD
- February 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2985
Vulnerability Analysis
This vulnerability is classified as CWE-918: Server-Side Request Forgery (SSRF). The affected component is the downloadImage function within the CLSBODownLoad.java file, which handles image download operations in the Tiandy Video Surveillance platform. The function fails to properly validate or sanitize the urlPath parameter before using it to construct and execute server-side HTTP requests.
SSRF vulnerabilities allow attackers to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In video surveillance systems, this is particularly concerning as these systems often have access to sensitive internal networks and camera feeds. The exploit has been publicly disclosed, increasing the risk of active exploitation.
Root Cause
The root cause of this vulnerability lies in improper input validation of the urlPath argument in the downloadImage function. The application accepts user-controlled URL input without adequately verifying that the target destination is a legitimate and expected resource. This allows attackers to supply malicious URLs pointing to internal services, cloud metadata endpoints, or other sensitive resources that the server can access.
Attack Vector
The attack can be executed remotely over the network by an authenticated attacker with low privileges. The attacker manipulates the urlPath parameter when calling the downloadImage function, substituting the expected image URL with a crafted URL targeting internal resources.
The vulnerability mechanism allows attackers to craft requests that leverage the server as a proxy to access internal services. Common SSRF attack patterns include targeting cloud metadata services (such as http://169.254.169.254/), internal APIs, admin interfaces, or performing port scanning of internal networks. Technical details and proof-of-concept information are available through the VulDB entry #347368 and the Feishu Wiki Resource.
Detection Methods for CVE-2026-2985
Indicators of Compromise
- Unusual outbound HTTP requests originating from the Tiandy Video Surveillance server to internal IP ranges or cloud metadata endpoints
- Requests to the downloadImage endpoint containing suspicious URL patterns in the urlPath parameter
- Server logs showing requests to unexpected internal hostnames or IP addresses from the surveillance system
- Network traffic anomalies indicating internal port scanning activity from the surveillance platform
Detection Strategies
- Monitor web application logs for requests to /com/tiandy/easy7/core/bo/CLSBODownLoad.java with abnormal urlPath values
- Implement network segmentation monitoring to detect SSRF-based internal reconnaissance
- Deploy web application firewall (WAF) rules to detect and block SSRF payloads in URL parameters
- Analyze outbound connection attempts from the surveillance system to detect connections to internal-only resources
Monitoring Recommendations
- Enable detailed logging for all HTTP requests processed by the downloadImage function
- Configure alerts for outbound requests to private IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) and localhost
- Monitor for cloud metadata endpoint access attempts from the surveillance server
- Implement egress filtering and log all denied outbound connection attempts
How to Mitigate CVE-2026-2985
Immediate Actions Required
- Restrict network access to the Tiandy Video Surveillance System to trusted IP addresses only
- Implement URL allowlisting for the downloadImage function to permit only expected image sources
- Deploy network segmentation to limit the surveillance system's access to internal resources
- Consider temporarily disabling the downloadImage functionality until a patch is available
Patch Information
No official patch is currently available. The vendor (Tiandy) was contacted about this disclosure but did not respond. Organizations should monitor the VulDB entry for updates and apply patches as soon as they become available.
Workarounds
- Implement a Web Application Firewall (WAF) with SSRF protection rules to filter malicious urlPath inputs
- Configure network-level egress filtering to prevent the server from making requests to internal IP ranges
- Deploy an HTTP proxy for outbound requests that validates and restricts destination URLs
- Use application-level URL validation to enforce an allowlist of permitted domains for image downloads
# Example: Network-level mitigation using iptables to block SSRF to internal networks
# Block outbound connections to private IP ranges from the surveillance server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
