No Patch Coming for RCE Vulnerability in LG Surveillance Cameras

Red Dog Security

29 Jul 2025 — 1 min read

A critical remote code execution (RCE) vulnerability has been discovered in LG surveillance cameras—but no fix is coming. The flaw, which allows attackers to gain administrative control, affects thousands of devices worldwide and is being actively highlighted by security experts and government agencies.

CISA Issues Warning

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory concerning LG Innotek LNV5110R cameras, which are widely deployed—including in critical infrastructure across commercial sectors.

The vulnerability, tracked as CVE-2025-7742, enables attackers to bypass authentication and upload data to the device’s non-volatile storage via an HTTP POST request. This ultimately allows for remote code execution with elevated privileges.

No Patch—Product at End of Life

Despite the severity, LG Innotek has confirmed it will not issue a patch for the vulnerability. The reason: the affected cameras have reached end-of-life (EOL) status.

Security researchers had privately notified LG of the flaw, but the company stated that no firmware updates would be made available.

1,300+ Cameras Exposed

Souvik Kandar, a cybersecurity researcher at MicroSec who was credited by CISA with the discovery, estimates that over 1,300 cameras are currently exposed online and vulnerable to remote takeover.

“This is an unauthenticated remote code execution vulnerability,” Kandar said.
“Attackers can upload a reverse shell without logging in, gain admin privileges, execute arbitrary Linux commands, and use the device as a launchpad to infiltrate corporate internal networks.”

According to Kandar, attackers exploiting the flaw could:

View live camera feeds
Disable cameras remotely
Execute malicious commands to pivot deeper into connected networks

Key Takeaways

No fix available — LG Innotek will not patch the flaw
1,300+ devices exposed — Immediate risk of remote compromise
High-impact threat — Attackers can spy, disrupt, or infiltrate networks

This incident raises serious concerns about the long-term security of surveillance devices and the consequences of vendor abandonment. Organizations relying on legacy camera systems should act swiftly—either by replacing affected units or isolating them from sensitive environments.

The s1ngularity Attack Affected 2,180 GitHub Accounts

Specialists from Wiz have published new details on the recent s1ngularity attack targeting the open-source build system NX. The incident exposed data from 2,180 GitHub accounts and compromised more than 7,200 repositories, making it one of the largest supply chain breaches seen this year. What Is NX? NX

iCloud Calendar Is Being Exploited to Send Phishing Emails from Apple’s Servers

Invitations sent through iCloud Calendar are being weaponized to deliver phishing emails disguised as purchase notifications—sent directly from Apple’s own mail servers. This tactic significantly increases the chances of bypassing spam filters. A Familiar Scam with a New Twist According to Bleeping Computer, a reader recently shared a

Hacked npm Packages Downloaded More Than 2.6 Billion Times Weekly

Researchers are warning of what may be the largest supply chain attack in history. Attackers injected malware into several of the most widely used npm packages—collectively downloaded more than 2.6 billion times each week. The breach was made possible when hackers compromised a maintainer’s account through a

Google May Make AI Mode in Search Available by Default

Google is preparing to give users more control over its AI-powered search experience by allowing “AI mode” to be set as the default—potentially replacing traditional link-based results. What AI Mode Does AI mode is a version of Google Search that uses large language models (LLMs) to generate summaries of