CVE-2019-25236
Unknown Unknown - Not Provided
Unauthenticated Access to Live Video in iSeeQ Hybrid DVR

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25236
EUVD
EUVD-2025-205312
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
php php 7.0.22
boa boa 0.94.13
iseeq hybrid_dvr_wh-h4 2.0.0.p
iseeq hybrid_dvr_wh-h4 1.03r
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in iSeeQ Hybrid DVR WH-H4 versions 1.03R and 2.0.0.P involves an unauthenticated access flaw in the 'get_jpeg' script. Attackers can send requests to the /cgi-bin/get_jpeg endpoint specifying a camera channel and retrieve live video snapshots without any authentication or authorization. This allows unauthorized users to access live video streams from the DVR, potentially compromising the privacy and security of the surveillance system. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of live video streams from the affected DVR device. Attackers can obtain live snapshots and even compile them into video clips, thereby compromising the privacy and security of monitored areas. This unauthorized access could expose sensitive information and surveillance footage to malicious actors without any authentication barriers. [1, 2]

Detection Guidance

This vulnerability can be detected by sending HTTP requests to the endpoint `/cgi-bin/get_jpeg?ch=<CHANNEL>` on the target DVR device. If the device is vulnerable, it will return JPEG snapshots of the live video stream without requiring authentication. A proof-of-concept bash script is available that automates this detection by collecting sequential JPEG snapshots and checking the HTTP status of `/cgi-bin/php/login.php`; if this returns 404, the target is considered not vulnerable. The detection involves using commands like `curl` or `wget` to request `/cgi-bin/get_jpeg?ch=1` (or other channel numbers) and checking for valid JPEG responses. [1, 2]

Compliance Impact

The vulnerability allows unauthenticated attackers to access live video streams and snapshots without authorization, potentially compromising the privacy and security of surveillance data. This unauthorized disclosure of sensitive video data could lead to non-compliance with privacy regulations such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting network access to the vulnerable DVR device, especially blocking external access to the /cgi-bin/get_jpeg endpoint to prevent unauthorized requests. Additionally, monitor and audit network traffic for suspicious requests to this endpoint. If possible, update the device firmware or software to a version that patches this vulnerability or apply any vendor-provided security updates. If no patch is available, consider isolating the device on a secure network segment to limit exposure. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart