CVE-2025-69988
Incorrect Access Control in BS Producten Petcam Enables Unauthorized Video Access
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bs_producten | petcam | 33.1.0.0818 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing WPA2 or WPA3 encryption on the device's "Local Mode" Wi-Fi Access Point by default.
Implement unique per-device passwords printed on the device label to prevent unauthorized access.
Require authentication for all internal services such as RTSP streaming and the HTTP API, even if the network is accessed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability results in a complete loss of confidentiality and privacy by allowing unauthorized attackers to access live video and audio streams without credentials. Such unauthorized access to sensitive personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and security of personal and sensitive information.
Specifically, the exposure of unencrypted live feeds and internal APIs without authentication violates principles of data security and privacy required by these standards, potentially leading to legal and regulatory consequences for organizations using the affected device.
Can you explain this vulnerability to me?
CVE-2025-69988 is a vulnerability in the BS Producten Petcam device where its "Local Mode" network configuration broadcasts an open Wi-Fi access point without any encryption or authentication.
An attacker physically near the device can connect to this open network without a password, gaining an IP address on the same subnet as the camera's internal control and streaming services.
Once connected, the attacker can access internal services such as the RTSP stream on port 554 and a custom API on port 8001 without credentials, allowing them to view live video and audio feeds and retrieve sensitive information.
This vulnerability results in a complete loss of confidentiality and privacy for the device's data.
How can this vulnerability impact me? :
If you have a BS Producten Petcam device affected by this vulnerability, an attacker nearby can connect to its open Wi-Fi network without needing any credentials.
This allows the attacker to access live video and audio streams from your camera, compromising your privacy and security.
Additionally, the attacker can interact with the device's internal API, potentially exploiting further vulnerabilities to gain deeper control or cause additional harm.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for the device's open Wi-Fi Access Point (AP) broadcasting an SSID with the pattern "CLOUDCAM_[MAC_SUFFIX]" that uses no encryption or authentication.
Once connected to this open AP, a network scan can be performed to identify open ports such as RTSP on port 554 and a custom API on port 8001.
A suggested command to scan for open ports on the device is using Nmap, for example:
- nmap -p 554,8001 [device_IP]
Accessing the RTSP stream on port 554 without credentials can confirm the vulnerability by allowing monitoring of live video and audio feeds.