CVE-2025-66050
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: CERT.PL

Description
Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66050
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vivotek ip7137 From 0200a (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1393 The product uses default passwords for potentially critical functionality.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Vivotek IP7137 camera with firmware version 0200a does not require a password by default when logging in as an administrator. Users are not informed that setting a password is necessary, which means anyone can access the administrator account without authentication. This lack of authentication allows unauthorized users to control the camera and access sensitive functions.

Impact Analysis

This vulnerability can lead to unauthorized access to the camera's administrator functions, allowing attackers to control the device, view live video streams, and potentially compromise privacy and security. Since no password is required by default, anyone on the network can exploit this to spy on or manipulate the camera without permission. [1]

Detection Guidance

You can detect this vulnerability by checking if the Vivotek IP7137 camera allows unauthenticated access to its live video stream via the RTSP protocol on port 8554. For example, you can use the command: `ffplay rtsp://<camera-ip>:8554/` or `vlc rtsp://<camera-ip>:8554/` to see if the live feed is accessible without authentication. Additionally, scanning your network for devices with open port 8554 using tools like `nmap -p 8554 <camera-ip>` can help identify vulnerable cameras. [1]

Mitigation Strategies

Since the vendor has not provided a fix and the product is End-Of-Life, immediate mitigation steps include restricting network access to the camera by placing it behind a firewall or VLAN to limit exposure, disabling RTSP streaming if possible, changing default passwords if the option exists, and monitoring network traffic for unauthorized access attempts. Consider replacing the device with a supported model that receives security updates. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart