Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access.
The implementation of the ONVIF protocol in the camera's firmware does not enforce authentication on 31 critical endpoints. An attacker can directly send requests to these endpoints without providing any authentication credentials. As a result, unauthorized access to video streams and device information over the network is possible without any user interaction.
An attacker can gain unauthorized access to live video streams and sensitive device information, leading to violation of confidentiality of monitored areas and potential exposure of camera configuration data.
Apply patches available from the manufacturer according to the references. Until updates are deployed, it is recommended to isolate cameras from the public network, use a firewall blocking access to ONVIF ports from untrusted networks, and place devices in a dedicated VLAN network segment with restricted access.
Xiongmai XM530 IP cameras (Xiongmaitech Xm530V200 X6-Weq 8M) with firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HXiongmaitech Xm530v200 X6 Weq 8m
HWXiongmaitechwszystkie wersjeXiongmaitech Xm530v200 X6 Weq 8m Firmware
OSXiongmaitech5.00.r02.000807d8.10010.346624.s.onvif_21.06
Related vulnerabilities
An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06...
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02....
Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-...
Xiongmai Technology Co devices AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7...
All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communi...