CVE-2025-9983
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: CERT.PL

Description
GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camera's behavior. The vendor did not respond in any way. Only versionΒ 11.100001.01.28 was tested, other versions might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9983
EUVD
EUVD-2025-30773
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
galayou g2_camera 11.100001.01.28
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9983 is a vulnerability in GALAYOU G2 cameras where the video streams, delivered via RTSP, are supposed to be protected by randomly generated credentials. However, these credentials are not actually required to access the streams, meaning anyone can view the video without authentication. Changing the credentials does not restrict access. This is classified as missing authentication for a critical function. [1]

Impact Analysis

This vulnerability allows unauthorized users to access live video streams from the affected cameras without any authentication. This can lead to privacy breaches, unauthorized surveillance, and exposure of sensitive video data. [1]

Detection Guidance

You can detect this vulnerability by scanning your network for GALAYOU G2 cameras streaming video via RTSP without requiring authentication. For example, use tools like 'nmap' with the RTSP script to identify open RTSP ports and test access without credentials. A sample command: nmap -p 554 --script rtsp-url-brute <target-ip>. Additionally, you can try accessing the RTSP stream URL directly (e.g., rtsp://<camera-ip>/) without credentials to verify if the stream is accessible. [1]

Mitigation Strategies

Immediate mitigation steps include isolating the affected GALAYOU G2 cameras from untrusted networks to prevent unauthorized access, disabling RTSP streaming if possible, or placing the cameras behind a firewall or VPN to restrict access. Since changing credentials does not affect access, network-level controls are necessary until a vendor patch or update is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart