{"id":95,"date":"2026-05-27T19:31:07","date_gmt":"2026-05-27T09:31:07","guid":{"rendered":"https:\/\/mallen.com.au\/blog\/?p=95"},"modified":"2026-05-27T19:31:08","modified_gmt":"2026-05-27T09:31:08","slug":"smile-youre-being-hacked-nozomi-networks-labs-finds-five-new-flaws-in-hanwha-wisenet-cameras-cve-2025-52598-52601-cve-2025-8075","status":"publish","type":"post","link":"https:\/\/mallen.com.au\/blog\/smile-youre-being-hacked-nozomi-networks-labs-finds-five-new-flaws-in-hanwha-wisenet-cameras-cve-2025-52598-52601-cve-2025-8075\/","title":{"rendered":"Smile, You’re Being Hacked: Nozomi Networks Labs Finds Five New Flaws in Hanwha Wisenet Cameras (CVE-2025-52598\u201352601, CVE-2025-8075)"},"content":{"rendered":"

Five Vulnerabilities Found in Hanwha Vision QNV-C8012 and Wisenet Device Manager<\/h2>\n\n

Nozomi Networks Labs has published research disclosing five medium-severity vulnerabilities in the Hanwha Vision QNV-C8012 network camera (firmware v2.22.00_20240909_R188) and the Wisenet Device Manager (WDM) Windows application (v2.9.2.0). The CVEs \u2014 assigned CVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, and CVE-2025-8075 \u2014 were discovered under responsible disclosure and have been confirmed and published by Hanwha Vision through its S-CERT security response programme. While no single flaw here is individually critical, the research demonstrates a realistic multi-step attack chain that can pivot from a single operator workstation to an entire fleet of Hanwha cameras and recorders.<\/p>\n\n

The QNV-C8012 is a compact 5-megapixel dome camera widely used in office, retail, and education deployments. Wisenet Device Manager is the companion Windows utility used to discover, configure, and manage large groups of Hanwha IP cameras, NVRs, and DVRs from a single console \u2014 making it a high-value target if compromised.<\/p>\n\n

The Vulnerability Chain: How a Report Becomes a Network Takeover<\/h2>\n\n

The Nozomi research team outlines a two-step attack scenario that is worth understanding in operational terms.<\/p>\n\n

Step 1 \u2014 Poisoned report on the operator’s PC.<\/strong> The QNV-C8012 supports a People Counting feature that allows users to define named rules and generate Excel-format occupancy reports. An attacker with access to the camera’s web interface (or who can intercept traffic to it) can exploit a cross-site scripting flaw (CVE-2025-8075) to inject malicious content into rule names. Because client-side input validation is enforced only in the browser, a second weakness (CVE-2025-52600 \u2014 client-side enforcement of server-side security) means those injected names pass through unchecked server-side. The result is a booby-trapped Excel report: when the operator downloads and opens it, embedded spreadsheet formula logic can execute arbitrary commands on the workstation. This particular chain requires the optional CloudConnector add-on to be installed on the camera, and the FTP Event Send function to be enabled.<\/p>\n\n

Step 2 \u2014 Lateral movement to the camera fleet.<\/strong> With code execution on the operator’s workstation, the attacker targets Wisenet Device Manager. A hard-coded password vulnerability (CVE-2025-52601, CWE-259) means WDM stores a shared default username and password in a recoverable form. An attacker who can access the WDM installation on the compromised workstation can extract these credentials and replay them against every Hanwha device on the network that still uses default settings \u2014 potentially gaining administrative control over the entire surveillance fleet.<\/p>\n\n

Two additional vulnerabilities round out the picture: CVE-2025-52598 (improper TLS certificate validation, CVSS v4.0 6.3) enables man-in-the-middle interception of HTTPS and SMTP traffic to and from the camera, and CVE-2025-52599 (incorrect permission assignment for a critical resource, CVSS v4.0 6.3) creates further conditions for availability impact.<\/p>\n\n

CVE Summary Table<\/h2>\n\n
CVE ID<\/th>Weakness (CWE)<\/th>CVSS v4.0 Score<\/th>Component<\/th><\/tr><\/thead>
CVE-2025-52598<\/td>CWE-295: Improper Certificate Validation<\/td>6.3<\/td>QNV-C8012 firmware<\/td><\/tr>
CVE-2025-52599<\/td>CWE-732: Incorrect Permission Assignment<\/td>6.3<\/td>QNV-C8012 firmware<\/td><\/tr>
CVE-2025-52600<\/td>CWE-602: Client-Side Enforcement of Server-Side Security<\/td>5.2<\/td>QNV-C8012 web interface<\/td><\/tr>
CVE-2025-52601<\/td>CWE-259: Use of Hard-coded Password<\/td>6.3<\/td>Wisenet Device Manager v2.9.2.0<\/td><\/tr>
CVE-2025-8075<\/td>CWE-79: Cross-Site Scripting (XSS)<\/td>5.8<\/td>QNV-C8012 web interface (CloudConnector)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n

All five vulnerabilities carry CVSS v4.0 base scores in the medium range (5.2\u20136.3). No active exploitation in the wild has been reported at time of publication. Hanwha Vision has been engaged through responsible disclosure and has confirmed and published the findings via its S-CERT programme.<\/p>\n\n

Operational Implications and Recommended Actions<\/h2>\n\n

For facilities managers and IT managers running Hanwha Wisenet cameras \u2014 particularly in multi-site or high-density deployments managed through WDM \u2014 the following steps are recommended:<\/p>\n\n