Privilege Escalation Vulnerability in Alaga Home Security WiFi Camera

The Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) is vulnerable to privilege escalation. Other models from the same vendor are likely affected as they appear to share the same firmware.
We‘ve reported the vulnerability to the vendor multiple times; they did not respond. The devices therefore likely remain unpatched.

Local Privilege Escalation (CVE-2025-55810)

Description

The Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) is vulnerable to privilege escalation.
The /etc/init.sh script contains several so-called 'hooking' queries, that probe the SD card for specific files. If a matching file is found, the script executes it as root early in the boot sequence.

Example:

During boot, the script verifies the presence of /mnt/sdcard/XC_${SYS_NAME}/HOOK.sh on the memory card (where SYS_NAME is the model name) and, if the file exists, runs it with root privileges.

Saving a script that contains the following content will start the Telnet service with root privileges and no password authentication:

After the device has finished booting, it is possible to connect to the Telnet service without authentication:

Affected Component: https://www.alagaai.net/products/alaga-p50s-indoor-security-camera-3k (Initialization script /etc/init.sh)

Attack Type: Local

Impact Escalation of Privileges: True

Attack Vectors:
To exploit the vulnerability, an attacker must have local access to the device.
Attackers can inject arbitrary commands during boot that run as root which allows to obtain full root access by enabling unauthenticated services such as Telnet.
Once on the device, attackers can exfiltrate sensitive information, like Wi-Fi credentials, user IDs, and the app registration email. They can also access core camera functions, including the live video stream and microphone audio.

Reference: https://www.mgm-sp.com/analyse-einer-ip-internet-webcam-teil-2

Discoverer: Jan Rude (mgm security partners)

Sie haben Fragen, oder wollen sich unverbindlich beraten lassen?

Nehmen Sie Kontakt per E-Mail auf, rufen Sie uns an oder nutzen Sie unser Kontaktformular.

Ihr Ansprechpartner

Thomas Schönrich

DOWNLOAD

Die große Application Security Pentest FAQ für Auftraggeber

Zur Faq