{"api_version":"1","generated_at":"2026-04-22T23:23:09+00:00","cve":"CVE-2018-17915","urls":{"html":"https://cve.report/CVE-2018-17915","api":"https://cve.report/api/cve/CVE-2018-17915.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-17915","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-17915"},"summary":{"title":"CVE-2018-17915","description":"All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code.","state":"PUBLIC","assigner":"ics-cert@hq.dhs.gov","published_at":"2018-10-10 15:29:00","updated_at":"2019-10-09 23:37:00"},"problem_types":["CWE-311"],"metrics":[],"references":[{"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06","name":"https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06","refsource":"MISC","tags":["Third Party Advisory","US Government Resource"],"title":"Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server | ICS-CERT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-17915","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17915","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"17915","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xiongmaitech","cpe5":"xmeye_p2p_cloud_server","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"17915","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xiongmaitech","cpe5":"xmeye_p2p_cloud_server","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","DATE_PUBLIC":"2018-10-09T00:00:00","ID":"CVE-2018-17915","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"XMeye P2P Cloud Server","version":{"version_data":[{"version_value":"All versions"}]}}]},"vendor_name":"Hangzhou Xiongmai Technology Co., Ltd"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"MISSING ENCRYPTION OF SENSITIVE DATA CWE-311"}]}]},"references":{"reference_data":[{"name":"https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06","refsource":"MISC","url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06"}]}},"nvd":{"publishedDate":"2018-10-10 15:29:00","lastModifiedDate":"2019-10-09 23:37:00","problem_types":["CWE-311"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xiongmaitech:xmeye_p2p_cloud_server:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"17915","Ordinal":"134732","Title":"CVE-2018-17915","CVE":"CVE-2018-17915","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"17915","Ordinal":"1","NoteData":"All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"17915","Ordinal":"2","NoteData":"2018-10-10","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"17915","Ordinal":"3","NoteData":"2018-10-10","Type":"Other","Title":"Modified"}]}}}