📄 Xiongmai XM530 ONVIF / RTSP Security Scanner_PACKETSTORM:215053

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This project is a unified PHP-based security scanner designed to identify critical vulnerabilities in IP cameras, with a primary focus on ONVIF authentication bypass CVE-2025-65856 and unauthenticated RTSP stream exposure. The tool provides a...

Visit Original Source

Basic Information

ID PACKETSTORM:215053

Published Feb 6, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Xiongmai XM530 ONVIF & RTSP Security Scanner for IP Cameras |
| # Author : [email protected] |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.xiongmaitech.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213044/ & CVE-2025-65856

[+] Summary : This project is a unified PHP-based security scanner designed to identify critical vulnerabilities in IP cameras,
with a primary focus on ONVIF authentication bypass (CVE-2025-65856) and unauthenticated RTSP stream exposure.
The tool provides a single-file web interface that allows scanning a single IP address or an entire network range (CIDR), detecting exposed services,
fingerprinting device information (manufacturer and model), and assessing risk severity (LOW, MEDIUM, HIGH, CRITICAL).
The scanner is optimized for defensive security assessments and SOC use cases, generating structured JSON-compatible results suitable for SIEM ingestion.
It operates without external libraries, supports AJAX-based scanning without page reloads, and is fully compatible with standard PHP environments such as XAMPP.

[+] Key capabilities include:

Detection of ONVIF authentication bypass vulnerabilities

Identification of exposed RTSP streams without credentials

Automatic severity classification based on exposure level

Device fingerprinting (manufacturer / model when available)

Network-wide scanning via CIDR notation

Lightweight, single-file PHP web interface

Read-only, non-destructive Proof-of-Concept suitable for lawful security testing

[+] POC : How to Use It

Place the file inside: htdocs/camera_scanner.php

Open your browser:http://localhost/camera_scanner.php

Example Input :192.168.1.10 or 192.168.1.0/24

<?php

set_time_limit(0);
error_reporting(E_ALL & ~E_WARNING);

function port_open($ip, $port, $timeout = 2) {
$fp = @fsockopen($ip, $port, $errno, $errstr, $timeout);
if ($fp) {
fclose($fp);
return true;
}
return false;
}

function severity($onvif, $rtsp) {
if ($onvif && $rtsp) return "CRITICAL";
if ($onvif) return "HIGH";
if ($rtsp) return "MEDIUM";
return "LOW";
}

function check_onvif($ip, $port) {
$soap = <<<XML
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<GetDeviceInformation xmlns="http://www.onvif.org/ver10/device/wsdl"/>
</s:Body>
</s:Envelope>
XML;

$opts = [
'http' => [
'method' => "POST",
'header' => "Content-Type: application/soap+xml\r\n",
'content' => $soap,
'timeout' => 3
]
];

$ctx = stream_context_create($opts);
$url = "http://$ip:$port/onvif/device_service";
$res = @file_get_contents($url, false, $ctx);

if ($res && strpos($res, "Manufacturer") !== false) {
preg_match('/<Manufacturer>(.*?)<\/Manufacturer>/', $res, $m);
preg_match('/<Model>(.*?)<\/Model>/', $res, $mo);
return [
"onvif" => true,
"manufacturer" => $m[1] ?? "Unknown",
"model" => $mo[1] ?? "Unknown",
"port" => $port
];
}
return ["onvif" => false];
}

function check_rtsp($ip, $port) {
$fp = @fsockopen($ip, $port, $e, $s, 2);
if ($fp) {
fwrite($fp, "OPTIONS rtsp://$ip RTSP/1.0\r\nCSeq: 1\r\n\r\n");
$r = fread($fp, 256);
fclose($fp);
if (strpos($r, "RTSP") !== false) return true;
}
return false;
}

function scan_ip($ip) {
$onvif = false;
$rtsp = false;
$info = [];

foreach ([80,8899,8080] as $p) {
if (port_open($ip, $p)) {
$r = check_onvif($ip, $p);
if ($r['onvif']) {
$onvif = true;
$info = $r;
break;
}
}
}

foreach ([554,8554] as $p) {
if (port_open($ip, $p) && check_rtsp($ip, $p)) {
$rtsp = true;
$info['rtsp_port'] = $p;
break;
}
}

return [
"ip" => $ip,
"onvif" => $onvif,
"rtsp" => $rtsp,
"manufacturer" => $info['manufacturer'] ?? "-",
"model" => $info['model'] ?? "-",
"severity" => severity($onvif, $rtsp),
"time" => date("Y-m-d H:i:s")
];
}

/* ================= AJAX ================= */

if (isset($_POST['target'])) {
$target = trim($_POST['target']);
$results = [];

if (strpos($target, "/") !== false) {
[$net, $cidr] = explode("/", $target);
$mask = ~((1 << (32 - $cidr)) - 1);
$start = ip2long($net) & $mask;
$end = $start | ~$mask;

for ($i = $start + 1; $i < $end; $i++) {
$ip = long2ip($i);
$r = scan_ip($ip);
if ($r['onvif'] || $r['rtsp']) {
$results[] = $r;
}
}
} else {
$results[] = scan_ip($target);
}

header("Content-Type: application/json");
echo json_encode($results, JSON_PRETTY_PRINT);
exit;
}
?>

<!DOCTYPE html>
<html lang="ar" dir="rtl">
<head>
<meta charset="utf-8">
<title>Camera Security Scanner</title>
<style>
body{font-family:tahoma;background:#0f172a;color:#e5e7eb}
.box{width:900px;margin:30px auto;background:#020617;padding:20px;border-radius:10px}
input,button{padding:10px;width:100%;margin:5px 0}
button{background:#2563eb;color:#fff;border:0;cursor:pointer}
pre{background:#020617;padding:10px;max-height:400px;overflow:auto}
.CRITICAL{color:#dc2626}
.HIGH{color:#f97316}
.MEDIUM{color:#eab308}
</style>
</head>

<body>
<div class="box">
<h2>🔍 فحص كاميرات ONVIF / RTSP</h2>

<input id="target" placeholder="192.168.1.10 أو 192.168.1.0/24">
<button onclick="scan()">ابدأ الفحص</button>

<pre id="out"></pre>
</div>

<script>
function scan(){
document.getElementById("out").textContent="جاري الفحص...";
fetch("",{
method:"POST",
headers:{"Content-Type":"application/x-www-form-urlencoded"},
body:"target="+encodeURIComponent(document.getElementById("target").value)
})
.then(r=>r.json())
.then(d=>{
let o="";
d.forEach(x=>{
o+=`[${x.severity}] ${x.ip} | ONVIF:${x.onvif} RTSP:${x.rtsp}\n`;
});
document.getElementById("out").textContent=o;
});
}
</script>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-06T18:17:09",
    "description": "This project is a unified PHP-based security scanner designed to identify critical vulnerabilities in IP cameras, with a primary focus on ONVIF authentication bypass CVE-2025-65856 and unauthenticated RTSP stream exposure. The tool provides a...",
    "published": "2026-02-06T00:00:00",
    "modified": "2026-02-06T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Xiongmai XM530 ONVIF / RTSP Security Scanner",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215053",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-65856"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Xiongmai XM530 ONVIF & RTSP Security Scanner for IP Cameras                                                                 |\n    | # Author    : [email protected]                                                                                                    |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.xiongmaitech.com/                                                                                               |\n    =============================================================================================================================================\n    \n    [+] References :  https://packetstorm.news/files/id/213044/ & CVE-2025-65856\n    \n    [+] Summary    :  This project is a unified PHP-based security scanner designed to identify critical vulnerabilities in IP cameras, \n                      with a primary focus on ONVIF authentication bypass (CVE-2025-65856) and unauthenticated RTSP stream exposure.\n                      The tool provides a single-file web interface that allows scanning a single IP address or an entire network range (CIDR), detecting exposed services, \n    \t\t\t\t  fingerprinting device information (manufacturer and model), and assessing risk severity (LOW, MEDIUM, HIGH, CRITICAL).\n                      The scanner is optimized for defensive security assessments and SOC use cases, generating structured JSON-compatible results suitable for SIEM ingestion. \n    \t\t\t\t  It operates without external libraries, supports AJAX-based scanning without page reloads, and is fully compatible with standard PHP environments such as XAMPP.\n    \n    [+] Key capabilities include:\n    \n    Detection of ONVIF authentication bypass vulnerabilities\n    \n    Identification of exposed RTSP streams without credentials\n    \n    Automatic severity classification based on exposure level\n    \n    Device fingerprinting (manufacturer / model when available)\n    \n    Network-wide scanning via CIDR notation\n    \n    Lightweight, single-file PHP web interface\n    \n    Read-only, non-destructive Proof-of-Concept suitable for lawful security testing\n    \n    [+] POC : How to Use It\n    \n    Place the file inside: htdocs/camera_scanner.php\n    \n    Open your browser:http://localhost/camera_scanner.php\n    \n    Example Input :192.168.1.10 or 192.168.1.0/24\n    \n    <?php\n    \n    set_time_limit(0);\n    error_reporting(E_ALL & ~E_WARNING);\n    \n    function port_open($ip, $port, $timeout = 2) {\n        $fp = @fsockopen($ip, $port, $errno, $errstr, $timeout);\n        if ($fp) {\n            fclose($fp);\n            return true;\n        }\n        return false;\n    }\n    \n    function severity($onvif, $rtsp) {\n        if ($onvif && $rtsp) return \"CRITICAL\";\n        if ($onvif) return \"HIGH\";\n        if ($rtsp) return \"MEDIUM\";\n        return \"LOW\";\n    }\n    \n    function check_onvif($ip, $port) {\n        $soap = <<<XML\n    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n    <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\">\n    <s:Body>\n    <GetDeviceInformation xmlns=\"http://www.onvif.org/ver10/device/wsdl\"/>\n    </s:Body>\n    </s:Envelope>\n    XML;\n    \n        $opts = [\n            'http' => [\n                'method' => \"POST\",\n                'header' => \"Content-Type: application/soap+xml\\r\\n\",\n                'content' => $soap,\n                'timeout' => 3\n            ]\n        ];\n    \n        $ctx = stream_context_create($opts);\n        $url = \"http://$ip:$port/onvif/device_service\";\n        $res = @file_get_contents($url, false, $ctx);\n    \n        if ($res && strpos($res, \"Manufacturer\") !== false) {\n            preg_match('/<Manufacturer>(.*?)<\\/Manufacturer>/', $res, $m);\n            preg_match('/<Model>(.*?)<\\/Model>/', $res, $mo);\n            return [\n                \"onvif\" => true,\n                \"manufacturer\" => $m[1] ?? \"Unknown\",\n                \"model\" => $mo[1] ?? \"Unknown\",\n                \"port\" => $port\n            ];\n        }\n        return [\"onvif\" => false];\n    }\n    \n    function check_rtsp($ip, $port) {\n        $fp = @fsockopen($ip, $port, $e, $s, 2);\n        if ($fp) {\n            fwrite($fp, \"OPTIONS rtsp://$ip RTSP/1.0\\r\\nCSeq: 1\\r\\n\\r\\n\");\n            $r = fread($fp, 256);\n            fclose($fp);\n            if (strpos($r, \"RTSP\") !== false) return true;\n        }\n        return false;\n    }\n    \n    function scan_ip($ip) {\n        $onvif = false;\n        $rtsp  = false;\n        $info  = [];\n    \n        foreach ([80,8899,8080] as $p) {\n            if (port_open($ip, $p)) {\n                $r = check_onvif($ip, $p);\n                if ($r['onvif']) {\n                    $onvif = true;\n                    $info = $r;\n                    break;\n                }\n            }\n        }\n    \n        foreach ([554,8554] as $p) {\n            if (port_open($ip, $p) && check_rtsp($ip, $p)) {\n                $rtsp = true;\n                $info['rtsp_port'] = $p;\n                break;\n            }\n        }\n    \n        return [\n            \"ip\" => $ip,\n            \"onvif\" => $onvif,\n            \"rtsp\" => $rtsp,\n            \"manufacturer\" => $info['manufacturer'] ?? \"-\",\n            \"model\" => $info['model'] ?? \"-\",\n            \"severity\" => severity($onvif, $rtsp),\n            \"time\" => date(\"Y-m-d H:i:s\")\n        ];\n    }\n    \n    /* ================= AJAX ================= */\n    \n    if (isset($_POST['target'])) {\n        $target = trim($_POST['target']);\n        $results = [];\n    \n        if (strpos($target, \"/\") !== false) {\n            [$net, $cidr] = explode(\"/\", $target);\n            $mask = ~((1 << (32 - $cidr)) - 1);\n            $start = ip2long($net) & $mask;\n            $end   = $start | ~$mask;\n    \n            for ($i = $start + 1; $i < $end; $i++) {\n                $ip = long2ip($i);\n                $r = scan_ip($ip);\n                if ($r['onvif'] || $r['rtsp']) {\n                    $results[] = $r;\n                }\n            }\n        } else {\n            $results[] = scan_ip($target);\n        }\n    \n        header(\"Content-Type: application/json\");\n        echo json_encode($results, JSON_PRETTY_PRINT);\n        exit;\n    }\n    ?>\n    \n    <!DOCTYPE html>\n    <html lang=\"ar\" dir=\"rtl\">\n    <head>\n    <meta charset=\"utf-8\">\n    <title>Camera Security Scanner</title>\n    <style>\n    body{font-family:tahoma;background:#0f172a;color:#e5e7eb}\n    .box{width:900px;margin:30px auto;background:#020617;padding:20px;border-radius:10px}\n    input,button{padding:10px;width:100%;margin:5px 0}\n    button{background:#2563eb;color:#fff;border:0;cursor:pointer}\n    pre{background:#020617;padding:10px;max-height:400px;overflow:auto}\n    .CRITICAL{color:#dc2626}\n    .HIGH{color:#f97316}\n    .MEDIUM{color:#eab308}\n    </style>\n    </head>\n    \n    <body>\n    <div class=\"box\">\n    <h2>\ud83d\udd0d \u0641\u062d\u0635 \u0643\u0627\u0645\u064a\u0631\u0627\u062a ONVIF / RTSP</h2>\n    \n    <input id=\"target\" placeholder=\"192.168.1.10 \u0623\u0648 192.168.1.0/24\">\n    <button onclick=\"scan()\">\u0627\u0628\u062f\u0623 \u0627\u0644\u0641\u062d\u0635</button>\n    \n    <pre id=\"out\"></pre>\n    </div>\n    \n    <script>\n    function scan(){\n      document.getElementById(\"out\").textContent=\"\u062c\u0627\u0631\u064a \u0627\u0644\u0641\u062d\u0635...\";\n      fetch(\"\",{\n        method:\"POST\",\n        headers:{\"Content-Type\":\"application/x-www-form-urlencoded\"},\n        body:\"target=\"+encodeURIComponent(document.getElementById(\"target\").value)\n      })\n      .then(r=>r.json())\n      .then(d=>{\n        let o=\"\";\n        d.forEach(x=>{\n          o+=`[${x.severity}] ${x.ip} | ONVIF:${x.onvif} RTSP:${x.rtsp}\\n`;\n        });\n        document.getElementById(\"out\").textContent=o;\n      });\n    }\n    </script>\n    </body>\n    </html>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215053",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215053/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply