CRITICAL🇵🇱 Wersja polska

CVE-2025-10264

CVSS 10.0v4.0pub. 2025-09-12upd. 2026-04-15

Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its connected cameras.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) and involves an NVR configuration file being accessible without authentication over the network. An attacker can send a specially crafted network request and download the file directly. The downloaded file contains authentication credentials (login and password) stored in plaintext, eliminating any additional protection barrier for the attacker.

Impact

An attacker gains full authentication credentials to the NVR recorder and connected cameras, enabling them to take full control of the video surveillance system, view video streams, modify settings, or conduct further attacks on the network infrastructure.

Mitigation & patch

Security patches available from the vendor should be applied in accordance with the provided references. Until updates are deployed, it is recommended to isolate NVR devices from public internet access (e.g., behind a firewall or VPN) and immediately change passwords for all associated devices.

Who is affected

Selected network recorder (NVR) models manufactured by Digiever — specific model identification is available in the vendor references (TWCERT).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References