{“lastseen”:”2025-12-18T16:34:58″,”description”:”There is a complete authentication bypass in the ONVIF implementation of Xiongmai XM530-series IP cameras that allows unauthenticated remote access to sensitive device information, configuration, and video streams…”,”published”:”2025-12-18T00:00:00″,”modified”:”2025-12-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Xiongmai XM530 IP Camera ONVIF Complete Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:213044″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2017-16725″,”CVE-2018-10088″,”CVE-2018-17915″,”CVE-2025-65856″,”CVE-2025-65857″],”sourceData”:”# CVE-2025-65856\\n \\n **Xiongmai XM530 IP Camera ONVIF Complete Authentication Bypass**\\n \\n —\\n \\n ## Summary\\n \\n Complete authentication bypass in the ONVIF implementation of Xiongmai XM530-series IP cameras allows unauthenticated remote access to sensitive device information, configuration, and video streams.\\n \\n **CVE ID:** CVE-2025-65856 \\n **Severity:** CRITICAL \\n **CVSS v3.1 Score:** 9.8 \\n **CVSS Vector:** `CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H`\\n \\n ### CVSS Breakdown\\n \\n * **Attack Vector (AV):** Network – Remotely exploitable\\n * **Attack Complexity (AC):** Low – No special conditions required\\n * **Privileges Required (PR):** None – No authentication needed\\n * **User Interaction (UI):** None – Zero-click exploitation\\n * **Confidentiality\/Integrity\/Availability:** High – Complete device compromise\\n \\n —\\n \\n ## Affected Products\\n \\n **Vendor:** Hangzhou Xiongmai Technology Co., Ltd. \\n **Product:** IP Camera XM530V200_X6-WEQ_8M \\n **Commercial Brand:** ANBIUX (and hundreds of OEM rebrands) \\n **Firmware:** V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 and likely all V5.00.R02.* versions \\n **Component:** ONVIF Web Service Implementation\\n \\n **Device Context:** \\n Xiongmai is a major OEM supplier of IP cameras sold under hundreds of brand names globally. These cameras are widely deployed in residential, commercial, and industrial surveillance systems.\\n \\n —\\n \\n ## Vulnerability Details\\n \\n The ONVIF web service implementation fails to enforce authentication on 31 critical endpoints that should require credentials per ONVIF specifications.\\n \\n **Technical Details:**\\n \\n 1. **Missing WS-Security Authentication (CWE-306)**\\n * ONVIF endpoints accept unauthenticated SOAP requests\\n * No validation of Security headers\\n * Standard ONVIF authentication completely bypassed\\n \\n 2. **Affected Endpoints (partial list):**\\n * `GetDeviceInformation` – Hardware\/firmware details\\n * `GetUsers` – User account information\\n * `GetStreamUri` – RTSP stream URIs with credentials\\n * `GetSnapshotUri` – Still image URIs\\n * `GetNetworkInterfaces` – Network configuration\\n * `GetNetworkProtocols` – Enabled services\/ports\\n * `GetDNS` \/ `GetNTP` – DNS and NTP configuration\\n * `GetPresets` \/ `GetNodes` – PTZ configuration\\n * `SetRelayOutputState` – Control relay outputs (alarms)\\n * … and 22 additional critical endpoints\\n \\n 3. **Attack Surface:**\\n * Common ports: 80, 8000, 8080, 8899\\n * No rate limiting observed\\n * Thousands of devices exposed to internet (Shodan: `port:80 \\”Server: uc-httpd\\”` or `port:8899 \\”XM\\”`)\\n \\n —\\n \\n ## Impact\\n \\n An unauthenticated remote attacker can:\\n \\n * Access live video and audio streams\\n * Obtain complete device configuration\\n * Enumerate user accounts and credentials\\n * Control PTZ (Pan-Tilt-Zoom) functions\\n * Manipulate relay outputs (alarm systems)\\n * Perform network reconnaissance\\n * Extract RTSP credentials (see CVE-2025-65857)\\n \\n **Privacy Impact:** Direct violation of GDPR and privacy regulations. Enables mass surveillance operations.\\n \\n **Combined with CVE-2025-65857:** Complete zero-authentication access to live video streams.\\n \\n —\\n \\n ## Proof of Concept\\n \\n **Basic ONVIF Request (No Authentication):**\\n \\n “`bash\\n curl -X POST http:\/\/[CAMERA_IP]:8899\/onvif\/device_service \\\\\\n -H \\”Content-Type: application\/soap+xml\\” \\\\\\n -d ‘\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003cs:Envelope xmlns:s=\\”http:\/\/www.w3.org\/2003\/05\/soap-envelope\\”\\u003e\\n \\u003cs:Body xmlns:tds=\\”http:\/\/www.onvif.org\/ver10\/device\/wsdl\\”\\u003e\\n \\u003ctds:GetDeviceInformation\/\\u003e\\n \\u003c\/s:Body\\u003e\\n \\u003c\/s:Envelope\\u003e’\\n “`\\n \\n **Expected:** Authentication required \\n **Actual:** Full device information returned without credentials\\n \\n Complete PoC testing all 31 vulnerable endpoints available to security researchers upon request.\\n \\n —\\n \\n ## Mitigation\\n \\n ### For Users (Immediate):\\n \\n * **Network Isolation:** Place cameras on isolated VLAN with no internet access\\n * **Firewall Rules:** Block inbound connections to ports 80, 8000, 8080, 8899, 554\\n * **Disable ONVIF:** Check camera settings for option to disable ONVIF protocol\\n * **VPN-Only Access:** Never expose cameras directly to internet\\n * **Consider Replacement:** Given vendor’s security history, replacement recommended\\n \\n ### For Vendor:\\n \\n * Implement proper WS-Security authentication on all ONVIF endpoints\\n * Follow ONVIF Core Specification security requirements\\n * Add rate limiting and brute force protection\\n * Enable security logging and alerts\\n \\n **No patch currently available.**\\n \\n —\\n \\n ## Timeline\\n \\n * **November 2025:** Vulnerability discovered during security assessment\\n * **December 16, 2025:** CVE-2025-65856 assigned by MITRE (Service Request: 1954988)\\n * **December 17, 2025:** Vendor contact attempted via XMSRC@xiongmaitech.com (email delivery failed – server misconfigured)\\n * **December 17, 2025:** Alternative contact attempted via oversea_sales@xiongmaitech.com (email delivery failed)\\n * **December 17, 2025:** Public disclosure\\n \\n **Vendor Response:** No response received. Official security contact infrastructure non-functional.\\n \\n —\\n \\n ## Credits\\n \\n **Discovered by:** Luis Miranda Acebedo \\n **Location:** Vigo, Galicia, Spain \\n **Contact:** luis.miranda.acebedo@gmail.com\\n \\n —\\n \\n ## References\\n \\n * **CVE:** https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-65856\\n * **Related:** CVE-2025-65857 (Hardcoded RTSP Credentials)\\n * **CWE-306:** https:\/\/cwe.mitre.org\/data\/definitions\/306.html\\n * **ONVIF Spec:** https:\/\/www.onvif.org\/specs\/core\/ONVIF-Core-Specification.pdf\\n * **Vendor History:**\\n * CVE-2017-16725 (Directory traversal, unpatched)\\n * CVE-2018-10088 (Authentication bypass, unpatched)\\n * CVE-2018-17915, 17917, 17919 (XMEye P2P vulnerabilities)\\n * Mirai botnet contributor (2016)\\n * SEC Consult Advisory (2018): \\”Recommend discontinuing Xiongmai products\\”\\n \\n This site is open source. [Improve this page](https:\/\/github.com\/LuisMirandaAcebedo\/CVE-2025-65856\/edit\/main\/README.md).”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213044″,”cvss”:{“score”:10,”severity”:”HIGH”,”vector”:”AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”baseScore”:9.8,”baseSeverity”:”CRITICAL”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/213044\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-18T16:34:58″,”description”:”There is a complete authentication bypass in the ONVIF implementation of Xiongmai XM530-series IP cameras that allows unauthenticated remote access to sensitive device information, configuration,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,36,12,15,13,53,7,11,5],"class_list":["post-31883","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n