Executive Summary

CVE-2026-35901 is a vulnerability in the RTSP service of the MERCURY MIPC252W IP camera firmware version 1.0.5 Build 230306 Rel.79931n. It is caused by improper handling of repeated SETUP requests for the same media track within a single RTSP session.

An authenticated attacker who has valid credentials can exploit this flaw by sending multiple SETUP requests targeting the same media track instead of progressing normally through the media tracks. This abnormal sequence causes the RTSP service to enter an inconsistent state, which actively terminates the session and resets the RTSP connection.

As a result, the RTSP video stream from the camera is interrupted, causing a denial-of-service condition that affects the availability and stability of the device's video service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition on the affected MERCURY MIPC252W IP camera's RTSP video stream.

An attacker with valid authentication credentials can repeatedly send malformed RTSP SETUP requests, which will cause the camera's RTSP service to terminate sessions and reset connections.

This leads to interruptions in video streaming, reducing the availability and reliability of the camera's video feed, which could affect surveillance, monitoring, or any use case relying on continuous video access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring RTSP sessions on the MERCURY MIPC252W IP camera for repeated SETUP requests targeting the same media track within a single session, which causes session termination and RTSP connection resets.

A proof-of-concept Python script exists that establishes an RTSP connection, performs OPTIONS and DESCRIBE requests, authenticates using RTSP Digest authentication, and then sends repeated SETUP requests for the same media track to trigger the vulnerability.

To detect this on your network, you can capture and analyze RTSP traffic using tools like Wireshark or tcpdump to identify repeated SETUP requests for the same media track within a session.

• Use tcpdump to capture RTSP traffic: tcpdump -i <interface> -s 0 -w rtsp_traffic.pcap port 554
• Analyze the captured traffic in Wireshark, filtering for RTSP SETUP requests: rtsp.request.method == "SETUP"
• Look for multiple SETUP requests for the same media track within a single RTSP session.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the RTSP service to trusted and authenticated users only, since exploitation requires valid credentials.

Monitor RTSP sessions for abnormal repeated SETUP requests and consider temporarily disabling RTSP service if possible until a firmware update or patch is available.

Limit network exposure of the MERCURY MIPC252W device by placing it behind firewalls or network segmentation to reduce the risk of authenticated attackers reaching the RTSP service.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0