The Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials and run telnet by default.
CWE-798: Use of Hard-coded Credentials - CVE-2016-5081
According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain undocumented credentials for accessing the device via telnet. These credentials allow root access to the device, and are hard-coded and cannot be changed by the user.
A remote unauthenticated attack with knowledge of the credentials may gain root access to the device.
Apply an update
Thanks to Garrett Miller and John Kotheimer for reporting this vulnerability.
This document was written by Garret Wassermann.