Ningyuanda TC155 CVE-2025-14746
LOWSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authentication in Ningyuanda TC155 firmware version 57.0.2.0 allows unauthenticated RTSP Live Video Stream access from within the local network. The vulnerability, classified as an authentication bypass (CWE-287), requires no user interaction and can be exploited with low complexity. Publicly available exploit code exists, though active exploitation has not been confirmed via CISA KEV. EPSS score of 0.16% indicates low real-world exploitation likelihood despite the disclosure and POC availability, suggesting limited attacker interest or access constraints.
Technical ContextAI
The vulnerability resides in the RTSP (Real Time Streaming Protocol) Live Video Stream endpoint of the TC155 firmware, a network-attached IoT device from Shenzhen Ningyuanda Technology. RTSP is a standard protocol for streaming multimedia content and typically implements authentication mechanisms to restrict access. The affected component fails to properly enforce authentication controls (CWE-287: Improper Authentication), allowing unauthenticated access to video streams. The CPE identifier specifies firmware version 57.0.2.0 as the vulnerable release. The attack vector (AV:A) limits exploitation to adjacent network access, meaning an attacker must be on the same local network segment as the device, preventing remote exploitation over the Internet.
RemediationAI
No vendor-released patch has been identified at time of analysis. The vendor (Shenzhen Ningyuanda Technology) was reportedly contacted early but did not respond. Organizations operating TC155 devices with firmware 57.0.2.0 should apply these compensating controls: (1) Isolate TC155 devices to a dedicated management VLAN with strict access control lists, limiting RTSP access to authorized administrator IP ranges only - this mitigates the adjacent-network requirement but may reduce operational flexibility for legitimate users. (2) Disable or restrict public access to the RTSP endpoint if the device supports administrative disable - verify capability via device documentation or vendor contact. (3) Monitor network traffic to the RTSP port for unauthorized access attempts and implement network-level rate limiting. (4) Contact Shenzhen Ningyuanda Technology directly for patch availability or clarification on affected versions; if no response is provided, consider device replacement with alternatives offering active vendor support. Without vendor support, long-term mitigation requires network segmentation rather than product updates.
Share
External POC / Exploit Code
Leaving vuln.today