CVE-2025-69986
Buffer Overflow in LSC Camera ONVIF GetStreamUri Enables RCE
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lsc | indoor_camera | 7.6.32 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69986 is a stack-based buffer overflow vulnerability in the LSC Smart Indoor IP Camera's ONVIF service, specifically in the dgiot binary handling the GetStreamUri method.
The flaw occurs because the application does not properly validate the length of the Protocol parameter inside the Transport element of a SOAP request. It uses the unsafe strcpy() function to copy the Protocol string into a fixed-size stack buffer without checking its length.
An attacker who can authenticate (using hardcoded or discovered credentials) can send a specially crafted SOAP request with an oversized Protocol string, causing a buffer overflow that overwrites the Return Instruction Pointer (RIP).
Due to the lack of modern memory protections like stack canaries and the disabled NX bit (making the stack executable), this overflow can be exploited to execute arbitrary code remotely (Remote Code Execution) or cause the device to crash (Denial of Service).
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to remotely execute arbitrary code on the affected camera device, potentially gaining full root access to its operating system.
Alternatively, the attacker can cause a denial of service (DoS) by crashing the device through a segmentation fault triggered by the oversized Protocol parameter.
Such impacts could lead to unauthorized control over the camera, disruption of its operation, and compromise of any data or video streams it handles.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted SOAP requests to the ONVIF GetStreamUri function of the LSC Indoor Camera and observing the device's response.
A proof-of-concept involves sending a SOAP request with an excessively long <tt:Protocol> string inside the Transport element. If the device crashes or reboots (segmentation fault), it indicates the presence of the vulnerability.
Detection commands could include using tools like curl or custom scripts to send SOAP requests with oversized Protocol parameters to the camera's ONVIF service endpoint.
- Example curl command to test the vulnerability (replace CAMERA_IP and credentials accordingly):
- curl -u username:password -H "Content-Type: application/soap+xml" -d @payload.xml http://CAMERA_IP/onvif/device_service
- Where payload.xml contains a SOAP request with an oversized <tt:Protocol> string in the GetStreamUri method.
Monitoring for device crashes or reboots after sending such requests can help confirm the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the ONVIF service to trusted users only, as exploitation requires authenticated access.
Avoid sending or accepting oversized Protocol parameter values in SOAP requests to prevent triggering the buffer overflow.
If possible, apply firmware updates or patches from the vendor that address this vulnerability by implementing safer string handling functions and enabling modern memory protections.
In the absence of patches, consider network-level protections such as firewall rules to block suspicious SOAP requests or limit access to the ONVIF service.
Long-term mitigation involves replacing unsafe functions like strcpy() with safer alternatives (strncpy(), strlcpy()), enabling stack canaries, NX bit, and PIE in the device firmware, and enforcing strict input validation on ONVIF parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote code execution and denial of service on the LSC Indoor Camera, potentially leading to unauthorized access or disruption of the device.
Such security weaknesses could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure operation of devices handling sensitive information.
Specifically, exploitation of this vulnerability could lead to unauthorized access to camera data or interruption of service, both of which may violate data protection and security requirements mandated by these regulations.