Over 2,500 vulnerable devices from Geovision have a backdoor due to a weak default password “admin”. This can lead to these devices being remotely compromised. As a best practice, ensure all root passwords are complex and are not set to the default value.
Other flaws include allowing unauthenticated attackers to access system logs, using hardcoded shared private keys for SSH and a buffer overflow which could allow attackers to execute code. All vulnerabilities except the buffer overflow were patched in recent updates.
These have likely arisen due to a lack of security in mind during the development of the software used which is not uncommon for IoT devices.