Security researchers have disclosed a vulnerability in select Linux-based Lenovo webcams that allows remote attackers to reprogram the devices into BadUSB attack tools without ever physically unplugging them.
The flaw, codenamed BadCam (CVE-2025-4371), was demonstrated at DEF CON 33 and marks the first known example of remotely hijacking a USB peripheral already connected to a host machine.
By reflashing the webcam firmware, attackers can deliver malicious payloads or inject keystrokes, even after OS reinstalls. Lenovo has released firmware updates to address the issue, but the discovery shows the risk of trusting enterprise peripherals that run their own OS.
Why It Matters: USB peripherals like webcams, keyboards, and conferencing gear often operate with minimal oversight, yet can carry their own OS and execute privileged functions. When exploited through a BadUSB-style compromise, these devices can bypass traditional endpoint defenses and potentially spread to additional systems if moved between hosts.
- Remote Firmware Hijack Enables Peripheral Weaponization: Eclypsium researchers demonstrated that attackers with remote code execution on a host computer can reflash the firmware of connected Lenovo 510 FHD and Performance FHD webcams running Linux with USB Gadget support. This transforms the devices into malicious Human Interface Devices (HIDs) that can execute commands or masquerade as other USB peripherals without the user’s awareness.
- Stealth with Long-Term Persistence: Once compromised, webcams continue functioning as normal video devices, reducing the likelihood of detection by users or IT staff. The malicious firmware can remain beyond typical system resets and maintenance procedures, meaning the attack can act as a persistent reinfection source.
- Enterprise Trust Model Weakness in Peripheral Security: Most enterprises implicitly trust peripherals connected to corporate endpoints, assuming they pose minimal security risk once procured. This vulnerability reveals that such trust is misplaced and could allow attackers to bypass antivirus tools and endpoint configuration management policies.
- Vendor Response and Mitigation Steps: Lenovo, in collaboration with chipset vendor SigmaStar, has issued firmware version 4.8.0 and a specialized tool to validate and secure device firmware. Enterprises using affected models should deploy these updates immediately and consider instituting regular firmware verification processes for all USB-connected peripherals in high-security environments.
- Expanding Risk of Peripherals: This incident confirms that benign USB devices can be transformed into attack platforms by malicious actors. For organizations, this means threat modeling must now explicitly account for the firmware-level compromise of everyday peripherals on top of the endpoints and network infrastructure they connect to.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
