Critical One-Click RCE Vulnerability in IDIS Cloud Manager Exposes Surveillance Systems
A severe vulnerability in IDIS Cloud Manager (ICM) Viewer (CVE-2025-12556, CVSS 8.7) allows attackers to achieve remote code execution (RCE) with a single click, compromising Windows systems used to monitor IDIS IP cameras. The flaw, discovered by security researchers, stems from improper input validation in the ICM Viewer’s WebSocket communication, enabling malicious command-line flag injection.
How the Attack Works
The ICM Viewer, a Windows application for accessing live and recorded surveillance feeds via IDIS’s cloud platform, relies on a local service (CWGService.exe) listening on ws://localhost:16140. When a user clicks "Run Viewer" in the web dashboard, the service launches WCMViewer.exe with parameters including a URL passed without sufficient sanitization.
Attackers can exploit this by:
- Tricking a user into visiting a malicious webpage containing JavaScript that opens a WebSocket connection to localhost:16140.
- Injecting malicious Chromium command-line flags (e.g.,
--utility-cmd-prefix) into the viewer’s launch parameters, as WCMViewer.exe is built on the Chromium Embedded Framework (CEF). - Executing arbitrary code on the victim’s system, as demonstrated by researchers who spawned notepad.exe as a proof of concept.
Impact & Risks
- One-click RCE: No user interaction beyond clicking a link is required.
- Full system compromise: Attackers gain control of the Windows host managing IDIS surveillance, potentially enabling lateral movement within networks.
- Exposure of critical infrastructure: Compromised systems could provide access to other surveillance assets or sensitive endpoints.
Root Causes
The vulnerability arises from multiple design flaws:
- No origin validation (missing CORS checks on the local WebSocket).
- Hard-coded encryption key for WebSocket messages.
- Unsanitized command-line arguments passed to WCMViewer.exe.
- Insufficient parameter validation before CEF execution.
Mitigation & Response
IDIS has released ICM Viewer version 1.7.1 to address the issue, urging customers to upgrade immediately or uninstall the software if patching is not feasible. The Cybersecurity and Infrastructure Security Agency (CISA) has also highlighted the risk, emphasizing the need for organizations to review exposed surveillance management systems and harden local services.
The flaw underscores the risks of cloud-connected security tools with inadequate input validation, particularly in critical infrastructure environments.
Source: https://gbhackers.com/idis-ip-camera-vulnerability/
IDIS cybersecurity rating report: https://www.rankiteo.com/company/idis-global
"id": "IDI1769618820",
"linkid": "idis-global",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Surveillance/Physical Security',
'name': 'IDIS Cloud Manager (ICM) Viewer users',
'type': 'Software'}],
'attack_vector': 'WebSocket communication exploitation via malicious webpage',
'description': 'A severe vulnerability in IDIS Cloud Manager (ICM) Viewer '
'(CVE-2025-12556, CVSS 8.7) allows attackers to achieve remote '
'code execution (RCE) with a single click, compromising '
'Windows systems used to monitor IDIS IP cameras. The flaw '
'stems from improper input validation in the ICM Viewer’s '
'WebSocket communication, enabling malicious command-line flag '
'injection.',
'impact': {'operational_impact': 'Full system compromise, potential lateral '
'movement within networks',
'systems_affected': 'Windows systems running IDIS Cloud Manager '
'(ICM) Viewer'},
'lessons_learned': 'The flaw underscores the risks of cloud-connected '
'security tools with inadequate input validation, '
'particularly in critical infrastructure environments.',
'post_incident_analysis': {'corrective_actions': 'Patch management, input '
'validation improvements, '
'WebSocket security '
'hardening',
'root_causes': ['No origin validation (missing '
'CORS checks on the local '
'WebSocket)',
'Hard-coded encryption key for '
'WebSocket messages',
'Unsanitized command-line '
'arguments passed to WCMViewer.exe',
'Insufficient parameter validation '
'before CEF execution']},
'recommendations': 'Upgrade to ICM Viewer version 1.7.1 immediately, review '
'exposed surveillance management systems, and harden local '
'services.',
'references': [{'source': 'CISA Advisory'}],
'regulatory_compliance': {'regulatory_notifications': 'Cybersecurity and '
'Infrastructure '
'Security Agency (CISA) '
'advisory'},
'response': {'containment_measures': 'Upgrade to ICM Viewer version 1.7.1 or '
'uninstall the software if patching is '
'not feasible',
'remediation_measures': 'Patch management, review exposed '
'surveillance management systems, harden '
'local services'},
'title': 'Critical One-Click RCE Vulnerability in IDIS Cloud Manager Exposes '
'Surveillance Systems',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-12556 (Improper input validation in ICM '
'Viewer’s WebSocket communication)'}