Skip to main content

Xiongmai XM530 CVE-2025-65856

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2025-12-22 cve@mitre.org
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Unauthenticated, network-reachable, low-complexity missing-auth flaw; documented impact is stream/info disclosure (C:H) with only possible minor config integrity (I:L) and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:34 vuln.today

DescriptionCVE.org

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access.

AnalysisAI

Unauthenticated access to live video and device data affects Xiongmai XM530-based IP cameras running firmware V5.00.R02.000807D8.10010.346624.S with ONVIF 21.06, where the ONVIF service fails to enforce authentication on 31 endpoints. Any remote attacker who can reach the camera's ONVIF port can pull sensitive device information and view real-time RTSP/ONVIF video streams without credentials. Publicly available exploit code exists, though the flaw is not listed in CISA KEV and EPSS is modest (0.85%, 54th percentile).

Technical ContextAI

The affected component is the camera's ONVIF (Open Network Video Interface Forum) implementation, a SOAP/WSDL-based web-service standard used by IP surveillance devices for discovery, media streaming, and configuration. ONVIF normally protects operations with WS-Security UsernameToken digest authentication, but on this XM530 firmware the SOAP handler does not validate that token before servicing 31 sensitive operations. This maps to CWE-306 (Missing Authentication for a Critical Function): security-relevant endpoints are reachable with no credential check at all. The specific affected image is identified by the CPE cpe:2.3:o:xiongmaitech:xm530v200_x6-weq_8m_firmware:5.00.r02.000807d8.10010.346624.s.onvif_21.06, indicating the XM530V200 X6-WEQ 8M SoC platform, an OEM chipset/firmware widely rebranded across many budget camera and DVR/NVR vendors.

RemediationAI

No vendor-released patch or fixed firmware version is identified in the available data, so a specific upgrade target cannot be cited - check Xiongmai/OEM support channels for firmware superseding V5.00.R02.000807D8.10010.346624.S before deploying. As compensating controls, remove these cameras from direct internet exposure and place them on an isolated management VLAN with no inbound reachability from untrusted networks; block or firewall the ONVIF/RTSP ports (commonly TCP 8899/80/554 on Xiongmai devices) at the perimeter so only an authorized VMS/NVR can reach them, accepting that this breaks remote/cloud viewing that relies on direct device access. Where the deployment permits, disable the ONVIF service entirely if the NVR uses a proprietary protocol instead, noting this will break any ONVIF-based integrations. Consult the researcher write-up at https://luismirandaacebedo.github.io/CVE-2025-65856/ to identify the 31 exposed endpoints for targeted network filtering.

Share

CVE-2025-65856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy