Two Critical RCE Flaws Expose Yi IOT Smart Cameras to Full Device Takeover - #CVE-2025-29659
Security researcher Yassine Damiri has uncovered two critical remote code execution vulnerabilities in Yi IOT XY-3820 smart cameras, posing significant security risks. The first vulnerability, CVE-2025-29659, involves a cmd binary that opens a root-level command server on TCP port 999, while the second, CVE-2025-29660, is found in the camera's daemon process on TCP port 6789 and allows for unauthorized command execution. These vulnerabilities could potentially grant attackers full root control of the affected devices. To mitigate the risks, users are strongly advised to update their camera firmware, disconnect vulnerable cameras from the internet, restrict access to internal networks, and closely monitor for any suspicious outbound connections. This discovery highlights the ongoing security challenges in IoT devices and the importance of prompt patching and network segmentation.