Xiongmai XM530 CVE-2025-65856
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated, network-reachable, low-complexity missing-auth flaw; documented impact is stream/info disclosure (C:H) with only possible minor config integrity (I:L) and no availability effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access.
AnalysisAI
Unauthenticated access to live video and device data affects Xiongmai XM530-based IP cameras running firmware V5.00.R02.000807D8.10010.346624.S with ONVIF 21.06, where the ONVIF service fails to enforce authentication on 31 endpoints. Any remote attacker who can reach the camera's ONVIF port can pull sensitive device information and view real-time RTSP/ONVIF video streams without credentials. Publicly available exploit code exists, though the flaw is not listed in CISA KEV and EPSS is modest (0.85%, 54th percentile).
Technical ContextAI
The affected component is the camera's ONVIF (Open Network Video Interface Forum) implementation, a SOAP/WSDL-based web-service standard used by IP surveillance devices for discovery, media streaming, and configuration. ONVIF normally protects operations with WS-Security UsernameToken digest authentication, but on this XM530 firmware the SOAP handler does not validate that token before servicing 31 sensitive operations. This maps to CWE-306 (Missing Authentication for a Critical Function): security-relevant endpoints are reachable with no credential check at all. The specific affected image is identified by the CPE cpe:2.3:o:xiongmaitech:xm530v200_x6-weq_8m_firmware:5.00.r02.000807d8.10010.346624.s.onvif_21.06, indicating the XM530V200 X6-WEQ 8M SoC platform, an OEM chipset/firmware widely rebranded across many budget camera and DVR/NVR vendors.
RemediationAI
No vendor-released patch or fixed firmware version is identified in the available data, so a specific upgrade target cannot be cited - check Xiongmai/OEM support channels for firmware superseding V5.00.R02.000807D8.10010.346624.S before deploying. As compensating controls, remove these cameras from direct internet exposure and place them on an isolated management VLAN with no inbound reachability from untrusted networks; block or firewall the ONVIF/RTSP ports (commonly TCP 8899/80/554 on Xiongmai devices) at the perimeter so only an authorized VMS/NVR can reach them, accepting that this breaks remote/cloud viewing that relies on direct device access. Where the deployment permits, disable the ONVIF service entirely if the NVR uses a proprietary protocol instead, noting this will break any ONVIF-based integrations. Consult the researcher write-up at https://luismirandaacebedo.github.io/CVE-2025-65856/ to identify the 31 exposed endpoints for targeted network filtering.
More in Xm530V200 X6 Weq 8M Firmware
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today