CVE-2020-37157
Published: 07 February 2026
Summary
CVE-2020-37157 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2020-37157 is a configuration disclosure vulnerability (CWE-306) affecting the DBPower C300 HD Camera. The flaw exposes an unprotected configuration backup endpoint at /tmpfs/config_backup.bin, enabling unauthenticated attackers to download the config_backup.bin file and extract hardcoded username and password credentials stored within it.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation results in high-impact disclosure of sensitive configuration data, potentially allowing attackers to authenticate to the device or pivot to further actions depending on the credentials' scope.
Advisories detail the issue and proof-of-concept exploitation, including a VulnCheck advisory at https://www.vulncheck.com/advisories/dbpower-c-hd-camera-remote-configuration-disclosure, an Exploit-DB entry (https://www.exploit-db.com/exploits/48095), and an archived blog post on multiple DBPower C300 vulnerabilities (https://web.archive.org/web/20200620110617/https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities). No patches or specific mitigations are described in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31110
Vulnerability details
DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables unauthenticated remote exploitation of a public-facing device endpoint to retrieve a config file containing hardcoded credentials (T1190 + T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 identifies and authorizes only permitted actions without identification or authentication, directly preventing unauthenticated access to the /tmpfs/config_backup.bin endpoint.
AC-3 enforces approved authorizations for access to system resources, blocking unauthenticated retrieval of the sensitive configuration file containing hardcoded credentials.
SC-14 protects information on publicly accessible systems from unauthorized transfer, mitigating disclosure via the unprotected camera web endpoint.