CVE-2025-69986
Received Received - Intake
Buffer Overflow in LSC Camera ONVIF GetStreamUri Enables RCE

Publication date: 2026-03-27

Last updated on: 2026-03-27

Assigner: MITRE

Description
A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC Indoor Camera V7.6.32. The application fails to validate the length of the Protocol parameter inside the Transport element. By sending a specially crafted SOAP request containing an oversized protocol string, an attacker can overflow the stack buffer, overwriting the return instruction pointer (RIP). This vulnerability allows for Denial of Service (DoS) via device crash or Remote Code Execution (RCE) in the context of the ONVIF service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69986
EUVD
EUVD-2025-209095
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lsc indoor_camera 7.6.32
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69986 is a stack-based buffer overflow vulnerability in the LSC Smart Indoor IP Camera's ONVIF service, specifically in the dgiot binary handling the GetStreamUri method.

The flaw occurs because the application does not properly validate the length of the Protocol parameter inside the Transport element of a SOAP request. It uses the unsafe strcpy() function to copy the Protocol string into a fixed-size stack buffer without checking its length.

An attacker who can authenticate (using hardcoded or discovered credentials) can send a specially crafted SOAP request with an oversized Protocol string, causing a buffer overflow that overwrites the Return Instruction Pointer (RIP).

Due to the lack of modern memory protections like stack canaries and the disabled NX bit (making the stack executable), this overflow can be exploited to execute arbitrary code remotely (Remote Code Execution) or cause the device to crash (Denial of Service).

Impact Analysis

This vulnerability can impact you by allowing an attacker to remotely execute arbitrary code on the affected camera device, potentially gaining full root access to its operating system.

Alternatively, the attacker can cause a denial of service (DoS) by crashing the device through a segmentation fault triggered by the oversized Protocol parameter.

Such impacts could lead to unauthorized control over the camera, disruption of its operation, and compromise of any data or video streams it handles.

Detection Guidance

This vulnerability can be detected by sending specially crafted SOAP requests to the ONVIF GetStreamUri function of the LSC Indoor Camera and observing the device's response.

A proof-of-concept involves sending a SOAP request with an excessively long <tt:Protocol> string inside the Transport element. If the device crashes or reboots (segmentation fault), it indicates the presence of the vulnerability.

Detection commands could include using tools like curl or custom scripts to send SOAP requests with oversized Protocol parameters to the camera's ONVIF service endpoint.

  • Example curl command to test the vulnerability (replace CAMERA_IP and credentials accordingly):
  • curl -u username:password -H "Content-Type: application/soap+xml" -d @payload.xml http://CAMERA_IP/onvif/device_service
  • Where payload.xml contains a SOAP request with an oversized <tt:Protocol> string in the GetStreamUri method.

Monitoring for device crashes or reboots after sending such requests can help confirm the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the ONVIF service to trusted users only, as exploitation requires authenticated access.

Avoid sending or accepting oversized Protocol parameter values in SOAP requests to prevent triggering the buffer overflow.

If possible, apply firmware updates or patches from the vendor that address this vulnerability by implementing safer string handling functions and enabling modern memory protections.

In the absence of patches, consider network-level protections such as firewall rules to block suspicious SOAP requests or limit access to the ONVIF service.

Long-term mitigation involves replacing unsafe functions like strcpy() with safer alternatives (strncpy(), strlcpy()), enabling stack canaries, NX bit, and PIE in the device firmware, and enforcing strict input validation on ONVIF parameters.

Compliance Impact

The vulnerability allows remote code execution and denial of service on the LSC Indoor Camera, potentially leading to unauthorized access or disruption of the device.

Such security weaknesses could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure operation of devices handling sensitive information.

Specifically, exploitation of this vulnerability could lead to unauthorized access to camera data or interruption of service, both of which may violate data protection and security requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart