CVE-2025-69986

| EUVD-2025-209095 HIGH
2026-03-27 mitre GHSA-49jc-jpfq-h27g
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2025-209095
CVE Published
Mar 27, 2026 - 00:00 nvd
HIGH 7.2

Tags

RCE Denial Of Service Buffer Overflow

Description

A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC Indoor Camera V7.6.32. The application fails to validate the length of the Protocol parameter inside the Transport element. By sending a specially crafted SOAP request containing an oversized protocol string, an attacker can overflow the stack buffer, overwriting the return instruction pointer (RIP). This vulnerability allows for Denial of Service (DoS) via device crash or Remote Code Execution (RCE) in the context of the ONVIF service.

Analysis

Stack buffer overflow in LSC Indoor Camera V7.6.32 ONVIF GetStreamUri function allows unauthenticated remote attackers to cause denial of service or execute arbitrary code by sending a crafted SOAP request with an oversized Protocol parameter in the Transport element, bypassing input validation and corrupting the stack return instruction pointer.

Technical Context

The vulnerability exists in the ONVIF (Open Network Video Interface Forum) protocol implementation, specifically the GetStreamUri SOAP service endpoint used by network cameras for streaming configuration. ONVIF is a standardized XML/SOAP-based protocol for IP video device communication. The root cause is improper input validation of the Protocol parameter within the Transport XML element during SOAP message parsing. The vulnerable code fails to enforce length restrictions before copying user-supplied Protocol string data into a fixed-size stack buffer, creating a classic buffer overflow (CWE category: improper restriction of operations within the bounds of a memory buffer). LSC Indoor Camera V7.6.32 is the confirmed affected version. The ONVIF service typically listens on network-accessible ports, making the attack surface accessible to any network-connected attacker without prior authentication.

Affected Products

LSC Indoor Camera version 7.6.32 is confirmed affected. The CPE string provided (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) lacks vendor specificity and does not clearly map to LSC products in standard CPE databases, indicating incomplete vendor identification in the CVE record. Based on the GitHub reference (victorGoeman/LSC-Indoor-Camera-Security-Research), the researcher's documentation should be consulted for additional details on affected hardware models and firmware versions. No official LSC vendor advisory URL was provided in the available references.

Remediation

Immediate action: Restrict network access to the ONVIF service port (typically TCP 8080, 8000, or 554) using firewall rules, limiting exposure to trusted administrative networks only. Disable ONVIF service entirely if not required. Long-term: Check LSC vendor channels and the referenced GitHub repository for patched firmware versions, and upgrade when available. Until patches are released, employ network segmentation to isolate affected cameras on a dedicated VLAN with strict access controls, and consider deploying a reverse proxy with input validation/WAF rules to filter oversized Protocol parameters in SOAP requests. Monitor device logs for unusual ONVIF service crashes or errors that may indicate exploitation attempts. Contact LSC support for security update status and expected remediation timeline.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: 0

Share

CVE-2025-69986 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy