CVE-2025-66049
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66049, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: CERT.PL

Description

Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security.  The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-07-06
AI Q&A
2026-01-10
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vivotek ip7137 From 0200a (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Vivotek IP7137 camera firmware version 0200a, allowing unauthenticated access to the live video stream via the RTSP protocol on port 8554. This means that anyone with network access to the camera can view the live feed without needing to provide any authentication, potentially exposing private video footage. The issue may affect all firmware versions, and no fix is expected since the product is at its End-Of-Life stage. [1]

Impact Analysis

The vulnerability can lead to unauthorized users viewing live camera footage, compromising user privacy and security. This exposure of live video streams can result in sensitive information being leaked, surveillance being bypassed, and potential misuse of the camera feed by malicious actors. [1]

Detection Guidance

You can detect this vulnerability by scanning your network for devices with port 8554 open and attempting to access the RTSP stream without authentication. For example, use the command: `nmap -p 8554 --open <target-ip>` to identify devices with the RTSP port open. Then, try to access the stream using an RTSP client like VLC with the URL `rtsp://<target-ip>:8554/` to see if the live feed is accessible without credentials. [1]

Mitigation Strategies

Since no patches are expected due to the product being End-Of-Life, immediate mitigation steps include restricting network access to the camera by placing it behind a firewall or VLAN to limit who can reach port 8554, disabling RTSP if possible, changing default passwords if applicable, and monitoring network traffic for unauthorized access attempts. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66049. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart