CVE-2026-36438 Overview
CVE-2026-36438 is an information disclosure vulnerability affecting the Intelbras VIP-1230-D-G4 IP camera running firmware version V2.800.00IB00C.0.T. The flaw resides in the password reset functionality exposed through the /OutsideCmd endpoint. A remote, unauthenticated attacker can query this endpoint over the network to obtain sensitive information from the device. The issue is classified under CWE-640: Weak Password Recovery Mechanism for Forgotten Password.
Critical Impact
Remote unauthenticated attackers can extract sensitive information from affected Intelbras cameras by abusing the password reset workflow, undermining account confidentiality on exposed devices.
Affected Products
- Intelbras VIP-1230-D-G4 IP Camera
- Firmware version V2.800.00IB00C.0.T
- Related VIP 1230 B.D.G4 product variants documented in the Intelbras Product Datasheet
Discovery Timeline
- 2026-05-18 - CVE-2026-36438 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-36438
Vulnerability Analysis
The Intelbras VIP-1230-D-G4 exposes a password reset workflow at the /OutsideCmd HTTP endpoint. The endpoint returns sensitive information to callers without enforcing adequate authentication or authorization. Because the attack vector is network-based and requires no privileges or user interaction, any host able to reach the camera's web interface can interact with the endpoint. The disclosed data can support follow-on account takeover attacks against the camera. Additional technical context is available in the GitHub CVE-2026-36438 Repository.
Root Cause
The root cause is a weak password recovery mechanism [CWE-640]. The /OutsideCmd handler responds to password reset requests by returning information that should remain restricted to authenticated administrators. The reset flow does not properly validate the requester's identity before producing this response. This design flaw allows attackers to harvest data intended only for the legitimate account owner.
Attack Vector
An attacker reachable on the same network as the camera issues an HTTP request to the /OutsideCmd endpoint targeting the password reset functionality. The device replies with sensitive information that aids the attacker in compromising the account. No credentials, prior session, or user interaction is required. Cameras exposed directly to the internet face the broadest exposure, while those segmented behind a firewall require local network access.
No verified public proof-of-concept code is available. Refer to the GitHub CVE-2026-36438 Repository for additional research artifacts.
Detection Methods for CVE-2026-36438
Indicators of Compromise
- Unexpected HTTP GET or POST requests to the /OutsideCmd path on Intelbras VIP-1230-D-G4 cameras
- Password reset traffic originating from external or unmanaged IP addresses
- Repeated probing of camera web interfaces from a single source within a short window
Detection Strategies
- Inspect HTTP access logs on camera web servers and upstream proxies for requests referencing /OutsideCmd
- Correlate camera authentication events with preceding password reset requests from untrusted networks
- Baseline normal management traffic to the camera and alert on deviations involving reset endpoints
Monitoring Recommendations
- Forward camera and network device logs to a centralized log platform for retention and search
- Monitor for IoT devices reachable from the public internet using external attack surface tooling
- Track firmware versions across the camera fleet to identify hosts running V2.800.00IB00C.0.T
How to Mitigate CVE-2026-36438
Immediate Actions Required
- Remove direct internet exposure of Intelbras VIP-1230-D-G4 cameras and place them on isolated VLANs
- Restrict access to the camera web interface to known administrative source addresses only
- Audit existing camera accounts for unauthorized changes and rotate credentials on affected devices
Patch Information
No vendor patch has been published in the references at the time of this writing. Monitor the Intelbras Camera Product Page for firmware updates addressing the /OutsideCmd password reset issue. Apply firmware updates as soon as the vendor releases a fix for firmware V2.800.00IB00C.0.T.
Workarounds
- Block inbound access to the camera web interface at the perimeter firewall and require VPN access for management
- Disable remote password reset functionality where the device configuration permits
- Place cameras behind a reverse proxy that enforces authentication before requests reach /OutsideCmd
# Example: restrict camera management to a trusted subnet using iptables
iptables -A FORWARD -s 10.10.20.0/24 -d 192.0.2.50 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.0.2.50 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
