CVE-2025-14746
BaseFortify
Publication date: 2025-12-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shenzhenningyuandatechnology | tc155_firmware | 57.0.2.0 |
| shenzhenningyuandatechnology | tc155 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14746 is an authentication bypass vulnerability in the Shenzhen Ningyuanda TC155 IP Camera firmware version 57.0.2.0. It occurs due to a missing critical authentication step in the RTSP (Real-Time Streaming Protocol) live video stream endpoint. This flaw allows an attacker located within the same local network to access the live video stream without providing any authentication credentials, enabling unauthorized viewing and recording of the camera's video feed. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users on your local network to access and view live video streams from the affected IP camera without any authentication. This leads to significant privacy risks, as attackers can monitor physical spaces, capture, and record video feeds freely, potentially exposing sensitive or private information. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the RTSP live video stream endpoint of the Shenzhen Ningyuanda TC155 IP Camera from within the local network without providing authentication credentials. Since the vulnerability allows unauthorized access to the live video stream, a simple test is to connect to the camera's RTSP URL (e.g., rtsp://<camera-ip>/live) using an RTSP client or command-line tool like ffmpeg or VLC without any authentication. If the stream is accessible without credentials, the device is vulnerable. Example command using ffmpeg: ffmpeg -i rtsp://<camera-ip>/live -t 10 -f null - This tries to access the stream for 10 seconds. If it succeeds without authentication prompts, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the affected TC155 IP Camera by isolating it within a secure VLAN or subnet to limit local network exposure. Since no patches or vendor mitigations are available, consider disabling RTSP streaming if possible or replacing the affected device with a more secure alternative. Monitoring network traffic for unauthorized RTSP connections and changing network configurations to limit access to trusted devices can also help reduce risk. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to live video streams without authentication, posing significant privacy risks by enabling attackers to monitor physical spaces. Such unauthorized access to potentially sensitive video data could lead to non-compliance with privacy and data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive information. However, no explicit information about compliance impact is provided in the resources. [1, 3]