CVE-2026-51599
Received Received - Intake

RTSP Parser Denial of Service in MERCURY MIPC252W

Vulnerability report for CVE-2026-51599, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

An insufficient input validation vulnerability in the RTSP service of MERCURY MIPC252W v1.0.5 Build 230306 Rel.79931n allows an unauthenticated remote attacker to render an individual TCP connection temporarily unusable via sending an RTSP request with a Content-Length header but no corresponding message body. The affected RTSP parser enters a body-waiting state instead of rejecting the malformed request, causing all subsequent data on the connection to be silently consumed as body content until a server-side timeout closes the connection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mercury mipc252w 1.0.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-51599 is a vulnerability in the RTSP service of the MERCURY MIPC252W IP camera. It arises because the device does not properly validate RTSP requests that include a Content-Length header but lack the corresponding message body.

According to RTSP standards (RFC 2326), certain methods like DESCRIBE, SETUP, PLAY, TEARDOWN, and OPTIONS should not have a request body, and malformed requests should be rejected with a 400 Bad Request response. However, the affected device instead enters a persistent state waiting for the body bytes that never arrive.

This causes the RTSP parser to consume all subsequent data on the same TCP connection as body content, making that connection unusable until a server-side timeout (about 20 seconds) closes it. The vulnerability can be triggered remotely without authentication by sending such malformed RTSP requests.

Impact Analysis

This vulnerability impacts the availability of the RTSP service on the affected device by temporarily rendering an individual TCP connection unusable.

An attacker can exploit this by sending a malformed RTSP request with a Content-Length header but no body, causing the device to silently consume all subsequent data on that connection and ignore further requests until the connection times out and closes.

The impact is limited to the specific TCP connection targeted and does not affect other connections or active streaming sessions. No reboot is required for recovery, but the affected connection will be unavailable for approximately 20 seconds.

This can lead to a minor denial of service condition on the RTSP service, potentially disrupting legitimate client connections temporarily.

Detection Guidance

This vulnerability can be detected by sending an RTSP request to the MERCURY MIPC252W device's RTSP service that includes a Content-Length header but no corresponding message body. For example, sending a DESCRIBE request with a Content-Length value between 100 and 1000 but without a body will trigger the vulnerability.

You can use network tools like curl or netcat to craft such RTSP requests and observe the device's behavior. If the connection becomes unresponsive or subsequent RTSP requests on the same connection are ignored until a timeout occurs (approximately 20 seconds), the vulnerability is present.

  • Example command using netcat (nc) to send a malformed RTSP request: printf 'DESCRIBE rtsp://<device-ip>/stream/1 RTSP/1.0\r\nCSeq: 1\r\nContent-Length: 150\r\n\r\n' | nc <device-ip> 554
  • Monitor the connection for unresponsiveness or lack of expected RTSP responses after sending the malformed request.
Mitigation Strategies

Immediate mitigation steps include avoiding sending RTSP requests with a Content-Length header but no body to the affected device, as this triggers the vulnerability.

Since the vulnerability only affects individual TCP connections and the device recovers after a timeout (approximately 20 seconds), you can mitigate impact by closing and reopening RTSP connections if unresponsiveness is detected.

Additionally, monitor network traffic to detect and block malformed RTSP requests that could exploit this vulnerability.

Long-term mitigation would require a firmware update from the vendor to properly validate RTSP requests and reject malformed ones, but no such update is mentioned in the provided information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart