Impact Analysis

This vulnerability allows unauthorized real-time monitoring and mass surveillance by enabling attackers to access live video and audio streams from affected IP cameras without authentication. It leads to privacy violations, as attackers can spy on camera feeds unnoticed since there is no user notification of unauthorized access. Additionally, it can cause potential denial of service through stream exhaustion attacks. The vulnerability affects widely deployed cameras under various brands, increasing the risk of large-scale exploitation. [2]

Useful 0 Not Useful 0

Executive Summary

CVE-2025-65857 is a critical vulnerability in Xiongmai XM530-series IP cameras, specifically in the ONVIF Media Service's GetStreamUri endpoint. This endpoint exposes RTSP URIs that contain hardcoded credentials (username: wphd, password: 2MNswbQ5) embedded directly in the URL. These credentials are the same across all tested devices and do not change even if the admin password is modified. The credentials are transmitted in plaintext over HTTP without encryption or obfuscation, allowing unauthenticated, zero-click remote attackers to directly access live video and audio streams without any user interaction or authentication. [2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability results in critical privacy violations, which are significant concerns under regulations like GDPR. Unauthorized access to live video streams compromises personal data protection requirements, potentially leading to non-compliance with GDPR and similar privacy laws. This exposure of sensitive surveillance data could result in legal and regulatory consequences for affected organizations. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for RTSP connections to port 554 that include the hardcoded credentials (username: wphd, password: 2MNswbQ5) in the URI. You can also attempt to query the ONVIF GetStreamUri endpoint unauthenticated to extract the RTSP URI. Commands to detect this include using network monitoring tools like tcpdump or Wireshark to filter RTSP traffic, for example: `tcpdump -i <interface> port 554 -A | grep 'wphd_password=2MNswbQ5'`. Additionally, you can use curl or ONVIF client tools to send unauthenticated requests to the GetStreamUri endpoint to check if the RTSP URI with hardcoded credentials is exposed. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include isolating the affected cameras on a separate VLAN, implementing firewall rules to block inbound and outbound traffic on RTSP port 554, restricting access to the cameras via VPN only, and monitoring RTSP connections for suspicious activity. Due to the lack of patches and the vendor's poor security track record, consider replacing the affected devices. There is no official patch available currently. [2]

Useful 0 Not Useful 0