KERUI K259 5MP Wi-Fi (Tuya Smart Security Camera) contains a code execution vulnerability# CVE-2025-63296
# Summary
**KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87** contains **a code execution vulnerability** in its boot/update logic: during startup /usr/sbin/anyka_service.sh scans mounted TF/SD cards and, if /mnt/update.nor.sh is present, copies it to /tmp/net.sh and executes it as root, allowing an attacker with physical access to run arbitrary commands.
# Details
**Vulnerable Endpoint** : `/usr/sbin/anyka_service.sh`, `/usr/bin/update_entry`
**Trigger File** : `update.nor.sh` (placed at the root of the mounted tf/sd card)
**/usr/sbin/anyka_service.sh**
```
...
start_update()
{
/usr/bin/update_entry &
}
...
umount /mnt
mount_tf_card
sh /usr/sbin/tf_update.sh
start_update
i=5
while [ $i -gt 0 ]
do
sleep 1
pid=`pgrep /usr/bin/update_entry`
if [ -z "$pid" ]; then
echo "The /usr/bin/update_entry has exited, start_update!!!"
break
fi
i=`expr $i - 1`
done
if [ $mount_status -eq 1 ]; then
if [ -f /tmp/enter_update ]; then
echo "/tmp/enter_update file is exist, should be update!"
update_flag=1
else
echo "/tmp/enter_update file is not exist!"
update_flag=0
fi
else
update_flag=0
fi
if [ $update_flag -eq 1 ]; then
/tmp/net.sh
fi
...
```
**/usr/bin/update_entry** (pseudo / decompiled)
```
int sub_108f8()
{
FILE *v0; // r6
char v2[152]; // [sp+0h] [bp-98h] BYREF
memset(v2, 0, 0x80u);
v0 = popen("find /mnt/ -maxdepth 1 -name \"update.nor.sh\"", "r");
if (v0)
{
while (fgets(v2, 128, v0))
{
if (strstr(v2, "update.nor.sh"))
{
puts("==================find update.nor.sh!! start update.nor.sh==================");
system("cp -f /mnt/update.nor.sh /tmp/net.sh");
usleep(0x2710u);
system("chmod 777 /tmp/net.sh");
system("touch /tmp/enter_update");
system("sync");
usleep(0x2710u);
break;
}
}
pclose(v0);
return 0;
}
else
{
puts("error:popen failed");
return -1;
}
}
```
# POC
1. create `/update.nor.sh` at the root of an sd/tf card with content
<img width="982" height="763" alt="image" src="https://github.com/user-attachments/assets/220be2c1-230a-400b-9983-70dab082c82a" />
2. insert the sd card and reboot the device.
3. on successful exploitation the device will copy `/mnt/update.nor.sh` to `/tmp/net.sh`, mark it executable and run it. a telnet service (or any arbitrary command) will be started and allow root shell access.
<img width="1035" height="378" alt="image" src="https://github.com/user-attachments/assets/3c37f07d-4ae1-45b5-853b-085900450485" />
# Impact
- remote command execution and persistent backdoor: attacker achieves root shell and can install persistence (cron/init/boot modifications).
- network pivoting and scanning: attacker can use the camera to scan and attack the internal LAN.
- credential and media exfiltration: stored credentials, tokens and recorded video/audio can be read and exfiltrated.
- firmware/boot persistence and tampering: attacker can modify firmware or boot components to evade validation and survive reboots.
[4.0K] /data/pocs/623ea259eb0e69eb3f2838a71a47809847028273
└── [3.2K] README.md
1 directory, 1 file