CVE-2024–56897 — YI Smart Dash Camera

Vulnerable Model

YI Smart Dash Camera
Firmware v3.88
Reference: https://yitechnology.com.sg/products/dash-camera/

Unrestricted HTTP server for file downloads, uploads, and API commands

Once connected to a YI Car Dashcam using default/weak credentials, the http server is open for direct access without further authentication. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset.

http server with unrestricted downloads

scripted dump of all recordings

scripted change of camera settings

upload function open