CVE-2026-51598
Received Received - Intake

RTSP Service Denial of Service in MERCURY MIPC252W IP Camera

Vulnerability report for CVE-2026-51598, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n) allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mercury mipc252w 1.0.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-51598 is an input validation vulnerability in the RTSP service of the MERCURY MIPC252W IP camera running firmware version 1.0.5 Build 230306 Rel.79931n.

The flaw involves insufficient validation of the URL field in RTSP DESCRIBE requests. When a malformed URL containing illegal characters or non-conforming sequences is sent, the device fails to reject it during parsing and instead processes it incorrectly.

This causes two main issues: first, a mismatch in the CSeq field in the 401 Unauthorized response, corrupting the device's RTSP state machine and causing subsequent requests to fail with 400 Bad Request errors until a new connection is made.

Second, the device mistakenly counts these malformed requests as authentication failures, leading to the source IP address being locked out after repeated attempts, preventing RTSP authentication from that IP for an extended period or until reboot.

Impact Analysis

This vulnerability can cause a denial of service on the affected IP camera by corrupting its RTSP state machine and locking out IP addresses from authenticating.

An attacker can exploit this by sending crafted RTSP DESCRIBE requests with malformed URLs, which do not require valid authentication credentials.

As a result, legitimate clients on the same network segment may be unable to access the RTSP service for 40 minutes to several hours or until the device is rebooted.

Detection Guidance

This vulnerability can be detected by monitoring RTSP traffic for malformed DESCRIBE requests containing illegal characters or non-conforming URL sequences. Such requests cause the device to respond with a 401 Unauthorized message that has a CSeq field mismatch, violating RFC 2326, followed by 400 Bad Request errors on subsequent requests within the same connection.

Detection can also involve observing if the device locks out the source IP address after repeated malformed DESCRIBE requests, resulting in denial of RTSP authentication attempts from that IP for an extended period.

A practical approach is to use network packet capture tools like tcpdump or Wireshark to filter RTSP traffic and identify malformed DESCRIBE requests.

  • Use tcpdump to capture RTSP traffic: tcpdump -i <interface> -s 0 -w capture.pcap port 554
  • Analyze the capture with Wireshark, filtering for RTSP DESCRIBE requests and checking for malformed URLs or unusual response codes (401 with CSeq mismatch, 400 Bad Request).
  • Alternatively, use a Python script (proof-of-concept exploit) to send crafted malformed DESCRIBE requests and observe device behavior for state machine corruption and IP lockout.
Mitigation Strategies

Immediate mitigation steps include restricting network access to the RTSP service of the MERCURY MIPC252W IP camera to trusted hosts only, thereby preventing unauthenticated, network-adjacent attackers from sending malformed DESCRIBE requests.

Monitoring and limiting the rate of RTSP DESCRIBE requests can help reduce the risk of triggering the vulnerability.

If possible, rebooting the device will clear the IP lockout state caused by the vulnerability.

Applying firmware updates or patches from the vendor, once available, is recommended to permanently fix the input validation flaw.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart