Gjoko Krstic of Zero Science Lab has uncovered a critical path traversal vulnerability in Selea’s TARGA series of IP-based automatic number plate recognition (ANPR) cameras. The flaw, tracked as CVE-2025-34022 and rated CVSS 9.3, affects multiple models including the iZero, Targa 512, Targa 504, and Targa Semplice.
The vulnerability resides in the /common/get_file.php script used in the “Download Archive in Storage” feature. According to the advisory:
“Input passed through the Download Archive in Storage page using get_file.php script is not properly verified before being used to download files.”
This means that remote, unauthenticated attackers can exploit the file parameter to perform directory traversal attacks, granting them access to arbitrary files on the camera’s filesystem, including those storing cleartext credentials.
Selea’s TARGA cameras aren’t ordinary IP cameras. Equipped with built-in OCR software, these standalone devices can read vehicle license plates, Hazard Identification Numbers (HIN/Kemler codes), and UN numbers — even at high speeds and without external computer dependencies.
An attacker exploiting this flaw can:
- Download sensitive configuration and credential files
- Bypass authentication
- Gain operational intelligence about surveillance targets
- Potentially tamper with recordings or disable camera functions
The advisory lists the following affected models and firmware versions:
- Models: iZero, Targa 512, 504, Semplice, 704 TKM, 805, 710 INOX, 750, 704 ILB
- Firmware Versions: BLD201113005214, BLD201106163745, BLD200304170901, and others
- Camera Platform Software (CPS): Versions 4.013(201105), 3.100(200225), 3.005(191206)
This wide range of affected versions suggests that the vulnerability likely impacts a significant portion of active Selea ANPR deployments, including those used by traffic enforcement agencies, municipalities, and security-sensitive organizations.
For those looking to validate the flaw Krstic has published a proof-of-concept exploit, available here.
This public PoC increases the urgency of patching or mitigating the vulnerability, as it significantly lowers the barrier to exploitation.
Perhaps the most concerning aspect of this disclosure is the lack of vendor engagement. The advisory bluntly states: “No response from the vendor.”
This silence suggests that no official patch or firmware update is currently available, leaving affected deployments exposed.
Until a fix is released (if ever), administrators are strongly urged to take immediate defensive actions:
- Restrict network access to Selea cameras using firewalls and VPNs
- Disable public exposure of the web interface
- Monitor logs for suspicious file access attempts
- Use intrusion detection systems to flag exploitation attempts
