Early Doorbell Visitor Snapshots Without Strong Authentication

Summary :

Early doorbells integrated with EMQX and running firmware earlier than version 3.0.0 had an unauthenticated visitor snapshot API; the issue was remediated in May 2022, but users have not yet completed fleet-wide upgrades and corrective actions.

CVSS (Base Score):

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack conditions:

The attacker subscribes to relevant EMQX topics and, exploiting known weaknesses on the EMQX side, receives messages with msgid=111, extracts picUrl from them, then issues an HTTP GET to that URL to retrieve the image.

Risk:

Via EMQX and related paths, unauthorized parties may collect visitor-doorbell snapshots in bulk, causing privacy leakage; the issue alone typically does not result in device takeover or remote code execution (RCE).

Impact Scope:

Early EMQX-integrated visitor doorbells with device firmware earlier than 3.0.0; devices upgraded to firmware 3.0.0 or later are no longer affected.

Remediation Steps:

Immediately shut down EMQX where applicable, and without delay enforce strict validation on the server for this category of images.

Acknowledgment

We thank Sammy Azdoufal for valuable assistance in discovering this vulnerability and coordinating responsible disclosure.