CVE-2025-65857
Hardcoded Credentials in Xiongmai XM530 Cameras Allow Unauthorized Access
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiongmai | xm530 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthorized real-time monitoring and mass surveillance by enabling attackers to access live video and audio streams from affected IP cameras without authentication. It leads to privacy violations, as attackers can spy on camera feeds unnoticed since there is no user notification of unauthorized access. Additionally, it can cause potential denial of service through stream exhaustion attacks. The vulnerability affects widely deployed cameras under various brands, increasing the risk of large-scale exploitation. [2]
Can you explain this vulnerability to me?
CVE-2025-65857 is a critical vulnerability in Xiongmai XM530-series IP cameras, specifically in the ONVIF Media Service's GetStreamUri endpoint. This endpoint exposes RTSP URIs that contain hardcoded credentials (username: wphd, password: 2MNswbQ5) embedded directly in the URL. These credentials are the same across all tested devices and do not change even if the admin password is modified. The credentials are transmitted in plaintext over HTTP without encryption or obfuscation, allowing unauthenticated, zero-click remote attackers to directly access live video and audio streams without any user interaction or authentication. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability results in critical privacy violations, which are significant concerns under regulations like GDPR. Unauthorized access to live video streams compromises personal data protection requirements, potentially leading to non-compliance with GDPR and similar privacy laws. This exposure of sensitive surveillance data could result in legal and regulatory consequences for affected organizations. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for RTSP connections to port 554 that include the hardcoded credentials (username: wphd, password: 2MNswbQ5) in the URI. You can also attempt to query the ONVIF GetStreamUri endpoint unauthenticated to extract the RTSP URI. Commands to detect this include using network monitoring tools like tcpdump or Wireshark to filter RTSP traffic, for example: `tcpdump -i <interface> port 554 -A | grep 'wphd_password=2MNswbQ5'`. Additionally, you can use curl or ONVIF client tools to send unauthenticated requests to the GetStreamUri endpoint to check if the RTSP URI with hardcoded credentials is exposed. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include isolating the affected cameras on a separate VLAN, implementing firewall rules to block inbound and outbound traffic on RTSP port 554, restricting access to the cameras via VPN only, and monitoring RTSP connections for suspicious activity. Due to the lack of patches and the vendor's poor security track record, consider replacing the affected devices. There is no official patch available currently. [2]