The Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials and run telnet by default.
CWE-798: Use of Hard-coded Credentials - CVE-2016-5081
According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain undocumented credentials for accessing the device via telnet. These credentials allow root access to the device, and are hard-coded and cannot be changed by the user.
A remote unauthenticated attack with knowledge of the credentials may gain root access to the device.
Apply an update
Thanks to Garrett Miller and John Kotheimer for reporting this vulnerability.