← Back
2026-02-06 23:14CVE-2020-37157VulnCheck
PUBLISHED5.2CWE-306

DBPower C300 HD Camera - Remote Configuration Disclosure

DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource.

Problem type

Affected products

DBPower

DBPower C300 HD Camera

- - AFFECTED

References

ExploitDB-48095

https://www.exploit-db.com/exploits/48095

exploit
Archived Researcher Blog

https://web.archive.org/web/20200620110617/https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities

technical-descriptionexploit
VulnCheck Advisory: DBPower C300 HD Camera - Remote Configuration Disclosure

https://www.vulncheck.com/advisories/dbpower-c-hd-camera-remote-configuration-disclosure

third-party-advisory

GitHub Security Advisories

GHSA-37vr-rqxp-v3j3

DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows...

https://github.com/advisories/GHSA-37vr-rqxp-v3j3

DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2020-37157

web.archive.org

https://web.archive.org/web/20200620110617/https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities

exploit-db.com

https://www.exploit-db.com/exploits/48095

vulncheck.com

https://www.vulncheck.com/advisories/dbpower-c-hd-camera-remote-configuration-disclosure

github.com

https://github.com/advisories/GHSA-37vr-rqxp-v3j3

JSON source

https://cveawg.mitre.org/api/cve/CVE-2020-37157
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2020-37157",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-02-06T23:14:09.598Z",
    "dateReserved": "2026-02-03T16:27:45.310Z",
    "datePublished": "2026-02-06T23:14:09.598Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-02-06T23:14:09.598Z"
      },
      "datePublic": "2020-02-19T00:00:00.000Z",
      "title": "DBPower C300 HD Camera - Remote Configuration Disclosure",
      "descriptions": [
        {
          "lang": "en",
          "value": "DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource."
        }
      ],
      "affected": [
        {
          "vendor": "DBPower",
          "product": "DBPower C300 HD Camera",
          "versions": [
            {
              "version": "-",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Missing Authentication for Critical Function",
              "cweId": "CWE-306",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/48095",
          "name": "ExploitDB-48095",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://web.archive.org/web/20200620110617/https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities",
          "name": "Archived Researcher Blog",
          "tags": [
            "technical-description",
            "exploit"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/dbpower-c-hd-camera-remote-configuration-disclosure",
          "name": "VulnCheck Advisory: DBPower C300 HD Camera - Remote Configuration Disclosure",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Todor Donev",
          "type": "finder"
        }
      ]
    }
  }
}