Avatar
Because Google started to delete hacking related blog posts without using a single brain cell, I had to learn just another framework. Thx Google

CVE-2025-56675 - EKEN video doorbells leaking Wi-Fi credentials through HTTP to cloud servers

CVE-ID:
CVE-2025-56675

[Suggested description]
Video doorbells developed by EKEN group periodically sends debug logs to the EKEN cloud servers. These debug logs contain sensitive information like Wi-Fi SSID and credentials.

Example log: 
[0000000654]{I] fua_video_get_config preview_resolution 0wdr_mode 0 wifi_test_mode 0 
[0000000656][1970-01-01 00:00:00.925268]{D] ########################################### 
[0000000658][1970-01-01 00:00:00.927269]{D] BT60PLUSEKDB_<REDACTED-<REDACTED-<REDACTED-<REDACTED-<REDACTED>
[0000000659][1970-01-01 00:00:00.928104]{D] <SSID<PASSWORD>
[0000000659][1970-01-01 00:00:00.928274]{D] http://api.gdxp.com:8100 https://push.gdxp.com 47.243.113.135:139963 [tcp]47.254.95.196:9007 47.243.228.110:102587 47.107.28.145:17051 
[0000000659][1970-01-01 00:00:00.928436]{D] 9 http://oss-eu-central-1.aliyuncs.com de1-aiwit

[VulnerabilityType Other]

Wi-Fi credentials exposed to cloud servers via clear-text HTTP

[Vendor of Product]

Eken
Product name: Video doorbell
Model: T6
Manufacturer: Topvision (Shenzen) Technology Co., Ltd

[Affected Product Code Base]
Eken Aiwit video doorbells - BT60PLUS_MAIN_V1.0_GC1084_20230531

[Affected Component]
HTTP PUT to de1-aiwit.oss-eu-central-1.aliyuncs.com/device_log/<date/<camera_id

[Attack Type Other]
Attacker listening to clear-text HTTP traffic in the upstream

[Impact Information Disclosure] 
true


[Attack Vectors]
Attacker listening to clear-text HTTP traffic in the upstream

[Discoverer]
Zoltan Balazs

[Reference]
http://api.gdxp.com:8100
http://eken.com
http://oss-eu-central-1.aliyuncs.com
https://push.gdxp.com


Vulnerability timeline: 
2025-04-04: E-mail sent to support-us@eken.com <support-us@eken.com>, no reply received.
2025-04-14: Vulnerability details sent to Mitre via their form.
2025-05-18: E-mail sent to support-us@eken.com <support-us@eken.com>, no reply received.
2025-05-25: E-mail sent to support-us@eken.com <support-us@eken.com>, no reply received.
2025-06-10: Mitre contacted again, asking for the reserved CVE-ID.  
2025-06-20: Mitre notifies me that the device type was incomplete.  
2025-07-02: Mitre contacted, new update provided (device type).
2025-07-15: Vulnerability published on this website.
2025-09-26: Mitre replies with the reserved CVE-ID CVE-2025-56675.   
2025-09-29: This post has been updated with the CVE-ID CVE-2025-56675.