CVE-2024-34896

High

Published: 03 February 2025

Published

03 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0031 54.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34896 is a high-severity an unspecified weakness vulnerability in Nedis SmartLife Video (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

Directly mandates automatic termination of user sessions upon disconnection events, preventing retained unauthorized access to the live video feed after peer-to-peer connection ends.

IA-11 Re-authentication partial match

prevent

Requires re-authentication for specific conditions such as after peer-to-peer disconnections, mitigating continued access without proper re-validation.

AC-3 Access Enforcement partial match

prevent

Enforces approved access control policies that include validating active session states, addressing improper handling of disconnected peer-to-peer connections.

NVD Description

An issue in Nedis SmartLife Video Doorbell (WIFICDP10GY), Nedis SmartLife IOS v1.4.0 causes users who are disconnected from a previous peer-to-peer connection with the device to still have access to live video feed.

Deeper analysisAI

CVE-2024-34896 affects the Nedis SmartLife Video Doorbell (model WIFICDP10GY) and the Nedis SmartLife iOS app version 1.4.0. The vulnerability stems from an improper handling of peer-to-peer connections, where users disconnected from a prior connection with the device retain unauthorized access to the live video feed.

Attackers can exploit this remotely over the network with low complexity, requiring no privileges, authentication, or user interaction, as indicated by the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and a base score of 7.5 (High). A remote unauthenticated adversary who previously established a peer-to-peer connection can achieve high confidentiality impact by continuing to view the live video stream without re-authenticating or reconnecting.

References for advisories and potential mitigations include the vendor site at http://nedis.com and a detailed report at https://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-359419. The CVE was published on 2025-02-03.

Details

CWE(s): None listed

Affected Products

Nedis

SmartLife Video

inferred from references and description; NVD did not file a CPE for this CVE

References

http://nedis.com
cve@mitre.org
https://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-359419
cve@mitre.org