Alta video—1490: Vulnerability in 7zdec library could lead to attacker-controlled code execution in firmware upgrade process

Release Date

11th of November 2025.

Overview

A vulnerability was identified in the 7zDec library used in the Avigilon Flex camera's firmware upgrade process. This vulnerability could in the worst case allow a remote attacker to execute arbitrary code through a maliciously crafted 7Z file, potentially leading to a compromise of the device.

Affected Products

• Avigilon Flex Cameras:
  • All Stable upgrade Channel versions before 7.8.6.
  • All Beta upgrade channel versions before 7.8.0.

Unaffected Products

• Alta Video: all versions.

• Avigilon Flex Cameras:

  • All Stable upgrade channel versions after and including 7.8.6.
  • All Beta upgrade channel versions after and including 7.8.0.

• Alta Video Cloud: all versions.

Resolution

This issue has been fixed in Avigilon Flex Cameras Beta upgrade channel version 7.8.0 and Stable upgrade channel version 7.8.6.

It is highly recommended that all Avigilon Flex camera installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Alta Video User Interface for Avigilon Cloud-Native cameras and the Avigilon Cloud-Native Camera Interface for unmanaged cameras.

Vulnerability Information

• CVE: CVE-2023-31102.
• CVSS score: 7.8 (High)
• CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue reported by project maintainers.

Disclosure Timeline

• 06/03/2024 Issue found
• 12/04/2018 Root cause established
• 16/04/2018 Fix identified
• 04/09/2025 Patched Avigilon Cloud-Native Cameras (Beta upgrade channel) released
• 07/08/2025 Patched Avigilon Cloud-Native Cameras (Stable upgrade channel) released
• 11/11/2025 Vulnerability publicly disclosed