Several models have a security failure in the endpoint users.cgi?action=getUsers, The parameter has an improper authentication failure, it is possible to use 2 default credentials to directly access all the credentials of the database through the vulnerable endpoint, We can check the access in the exporting the configuration file of Device. 

EmailSetting.attachedSnapShotEnabled=0 EmailSetting.attachedVideoClipEnabled=0 EmailSetting.attachedVideoURLEnabled=1 EmailSetting.receiverAddress1= EmailSetting.receiverAddress2= EmailSetting.senderAddress= EmailSetting.senderName= EmailSetting.subject= EmailSetting.primary.accountName= EmailSetting.primary.authenticationMode=1 EmailSetting.primary.password= EmailSetting.primary.portNo=25 EmailSetting.primary.smtpServerHostName= 

FTPSetting.uploadSnapShotEnabled=0 FTPSetting.uploadVideoClipEnabled=0 FTPSetting.primary.accountName= FTPSetting.primary.addressType=0 FTPSetting.primary.hostname= FTPSetting.primary.ipAddress= FTPSetting.primary.ipv6Address= FTPSetting.primary.passiveModeEnabled=0 FTPSetting.primary.password= FTPSetting.primary.portNo=21 FTPSetting.primary.ShareDIR= 

Samba.addressType=0 Samba.hostDns= Samba.ipAddress= Samba.ipv6Address= Samba.password=guest Samba.preserve= Samba.userName=guest Samba.shareDIR= Samba.workGroup= Samba.SambaSnapShotEnabled=0 Samba.SambaVideoClipEnabled=1 

BasicNetworkSetting.addressType=0 BasicNetworkSetting.dnsAddress1=80.58.61.250 BasicNetworkSetting.dnsAddress2=80.58.61.254 BasicNetworkSetting.gatewayAddress=192.168.1.1 BasicNetworkSetting.ipv4Address=192.168.1.53 BasicNetworkSetting.ipv4Address2nd=192.168.1.245 BasicNetworkSetting.subnetMask=255.255.255.0 BasicNetworkSetting.subnetMask2nd=255.255.255.0 BasicNetworkSetting.enabledIP2nd=0 BasicNetworkSetting.pppoe.password= BasicNetworkSetting.pppoe.username= BasicNetworkSetting.defaultgatewayType=0 BasicNetworkSetting.manualDns=0 BasicNetworkSetting.tcp_mss_option=0 BasicNetworkSetting.tcp_mss_value=1500 

WIFISetting.wifibridge=1 WIFISetting.wlNetworkSetting.wifiaddressType=1 WIFISetting.wlNetworkSetting.wifiipv4Address= WIFISetting.wlNetworkSetting.wifisubnetMask= WIFISetting.wlNetworkSetting.wifigatewayAddress= WIFISetting.wlNetworkSetting.wifidnsAddress1= WIFISetting.wlNetworkSetting.wifidnsAddress2= WIFISetting.wlNetworkSetting.wifipppoe.username= WIFISetting.wlNetworkSetting.wifipppoe.password= 

DiscoveryonInternetSetting.enabled=1 DiscoveryonInternetSetting.upnp_status=0 DiscoveryonInternetSetting.register_status=0 DiscoveryonInternetSetting.online=0 DiscoveryonInternetSetting.check=0 DiscoveryonInternetSetting.checkname=0 DiscoveryonInternetSetting.update=0 DiscoveryonInternetSetting.RefreshTime=60 DiscoveryonInternetSetting.RefreshTimeList=1 5 30 60 180 360 1440 DiscoveryonInternetSetting.weburl= DiscoveryonInternetSetting.username= DiscoveryonInternetSetting.discovery_check_status=0 DiscoveryonInternetSetting.type=0 DiscoveryonInternetSetting.http_port=80 DiscoveryonInternetSetting.rtsp_port=554 DiscoveryonInternetSetting.publicip= DiscoveryonInternetSetting.username_backup= DiscoveryonInternetSetting.wanip_backup= DiscoveryonInternetSetting.macaddr_backup= DiscoveryonInternetSetting.port_backup= DiscoveryonInternetSetting.localip_backup= DiscoveryonInternetSetting.https_backup= DiscoveryonInternetSetting.httpport_backup= 

DDNSSetting.dyndnsEnabled=0 DDNSSetting.dyndns.wildcardEnabled=0 DDNSSetting.dyndns.username= DDNSSetting.dyndns.password= DDNSSetting.dyndns.hostname= DDNSSetting.tzodnsEnabled=0 DDNSSetting.tzodns.wildcardEnabled=0 DDNSSetting.tzodns.username= DDNSSetting.tzodns.password= DDNSSetting.tzodns.hostname= DDNSSetting.noipdnsEnabled=0 DDNSSetting.noipdns.wildcardEnabled=0 DDNSSetting.noipdns.username= DDNSSetting.noipdns.password= DDNSSetting.noipdns.hostname= DDNSSetting.noipdns=1 DDNSSetting.tzolastip= DDNSSetting.ddns_last_ipaddr=192.168.1.1 DDNSSetting.nameserver=168.95.1.1