The „Media Relay Service (MRS)“ (web server) software for reconnaissance devices from the Israeli manufacturer Infodraw is affected by a serious security vulnerability (Path Traversal Vulnerability). Security experts from Mint Secure discovered the vulnerability and initially reported it to the manufacturer and – due to a lack of response – subsequently to operators and CERTs worldwide in order to rule out further risks and responsibly disclose the vulnerability. This blog post describes technical details, cases from various countries, and the approach behind the discovery. Recommendations for affected organizations are also provided.
A presentation (German) on this topic was also given at the Chaos Computer Club’s Easterhegg 2025 conference (slides in German).
Update April 20, 2025: MITRE has now assigned CVE-2025-43928. We estimate that the CVSS score should be at least 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) or higher, as arbitrary data can be downloaded and deleted (any file).
The following information about the manufacturer was obtained through self-disclosure on the website (archive): Infodraw R&D Ltd. is a global provider of mobile video surveillance solutions that develops and manufactures sophisticated devices for wireless live transmission of video, audio, and GPS data over 3G, 4G, 5G, and Wi-Fi networks. The products are used internationally by police, private investigators, fleet management, and public transportation agencies, providing stable, high-performance surveillance solutions for mobile applications.The corresponding service architecture includes various components (which can be found in the solution manual):
Central control is provided via a server running the „Media Relay Service (MRS)“ software. It can be deployed on both Linux and Windows systems.
Media Relay Service (MRS) is typically used with devices from the PMRS series from the same manufacturer and is used for video, audio, and position data processing. The corresponding hardware is equipped with numerous interfaces for surveillance/reconnaissance.
In addition to an HTTP server component, there are additional software options, including clients and mobile apps (Android and iOS). Furthermore, the software can be integrated into other software products via an SDK, and the hardware can be expanded as required (by connecting cameras and microphones).
After installing the MRS software, some files on the system can be observed:
Below this is a ServerParameter.xml file, which contains further details and settings. This XML file serves as the central „database“ for the software (for example, it specifies where and how recordings should be saved, which users exist, and what permissions they have).
After the web server is started, it runs as an HTTP service on port 12654 and provides two interfaces (/user and /admin).
An investigation of the software revealed that logging into the application was possible after entering any username (under /user) in the software. This is presumably an unintended functional error.
While functions are accessible through login, they cannot be used easily because there is no account in the ServerParameter.xml file, and errors are thrown. At first, this functional flaw did not appear to be a potential threat to an actual attack.
Observing that a login with any account is possible, the available functions were examined more closely. File Explorer was identified as a feature that could enable further attacks.
The theoretical consideration was subsequently successfully tested and it was confirmed that a login with the user ../../../../ is possible and this is used by the web server as input for the file allocation:
This allows access to any files on the system.
Both Linux and Windows systems are affected.
This practice/vulnerability is also known as „path traversal“ or „directory traversal“ and has been known in this form for some time. In addition to simply viewing content and the associated potential for data exfiltration, files can also be deleted (Arbitrary File Deletion). See the video and links next to the files.
Data exfiltration can, for example, gain access to the ServerParameter.xml file, which contains additional information (including the MD5 hash of the administrator and possibly other users). Since MD5 is considered insecure and there is no salting or similar technology, hashed passwords can be easily converted back to plaintext, allowing login.
Furthermore, it’s conceivable that further information could be exfiltrated to gain access to the system in other ways. Some of the systems discovered were also integrated into Active Directory systems, which could potentially enable lateral movement or further privilege escalation.
Mint Secure conducted internet-wide scans on port 12654 (HTTP) (since services like Shodan do not detect this service) and was able to identify numerous affected systems.
Since no response from the manufacturer was received, CERTs and operators of corresponding systems were contacted directly to warn them before publishing this blog post and other articles. Some versions/configurations also appear to be non-vulnerable. The vulnerability was reported to CERTs in Belgium and Luxembourg, among others.
Belgium
In Belgium, a police system (Limburg Regio Hoofdstad) was affected, which, according to the username, may be associated with a drone:
In Luxembourg, a system was identified based on its IP address range as belonging to the „Police Grand-Ducale.“ Apparently, this system is used by the police’s special unit for audio and video surveillance or to manage body cameras.
Gato2 is the „Groupes d’appui technique opérationnel“ (GATO for short) for audio and video observation (source).
In both cases, the CERTs were able to report the attack to the responsible authorities, making the systems inaccessible.
Other organizations and government agencies around the world are affected – they have received information directly or through their national CERTs in recent days and should act promptly.
Affected organizations are primarily advised to take the application offline immediately (since, despite early warnings, no manufacturer patch is available, and it is considered possible that the vulnerability will be exploited by malicious actors in the near future).
If this is not possible, systems should be further protected with additional measures (such as using a VPN or specific IP unlocking).
Furthermore, forensic investigations may be necessary to determine if and when third-party access occurred and what information may have been affected.
The Mint Secure investigation shows that surveillance technology can be vulnerable to vulnerabilities and that extremely sensitive data can be affected. Unfortunately, manufacturers do not always comply with industry standards (providing updates and responding to vulnerability reports).