CVE-2020-37146
Published: 07 February 2026
Summary
CVE-2020-37146 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Acesecurity (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
NVD Description
ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /config_backup.bin endpoint, exposing credentials and system settings.
Deeper analysisAI
CVE-2020-37146 is a configuration disclosure vulnerability affecting the ACE Security WiP-90113 HD Camera. The issue allows unauthenticated attackers to retrieve sensitive configuration files by sending a GET request to the /config_backup.bin endpoint, which exposes credentials and system settings. It carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-306: Missing Authentication for Critical Function.
Unauthenticated attackers with network access to the device can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation grants high-impact access to confidential data, including the camera's full configuration backup containing credentials and other system settings, potentially enabling further compromise of the device or related networks.
Advisories and related resources include vendor pages from ACE Security at https://acesecurity.jp and https://acesecurity.jp/support/top/wip_series/wip-90113, a VulnCheck advisory at https://www.vulncheck.com/advisories/aptina-ar-p-mp-camera-remote-configuration-disclosure, and a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/48127. Specific mitigation or patch details are outlined in these references.
Details
- CWE(s)