EUVD-2025-209098CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An unauthenticated attacker in physical proximity can associate with this open network. Once connected, the attacker gains access to the camera's private network interface and can retrieve sensitive information, including the live video and audio stream, without providing credentials.
Analysis
BS Producten Petcam version 33.1.0.0818 fails to enforce access controls on its wireless network interface, allowing unauthenticated attackers within physical proximity to connect to the device's open network and directly access live video and audio streams without authentication. The vulnerability affects a consumer IP camera product and carries a CVSS score of 6.5 (medium severity) driven by high confidentiality impact despite requiring physical proximity. A proof-of-concept and technical analysis are publicly available via GitHub, though no confirmation of active exploitation in the wild has been identified.
Technical Context
The vulnerability is rooted in incorrect access control mechanisms (CWE classification not specified in available data) on the device's wireless network interface. BS Producten Petcam devices operate as networked cameras that expose a private network interface for streaming video and audio; the affected version 33.1.0.0818 implements an open wireless network without WPA2/WPA3 encryption or credential enforcement at the network layer. Once an unauthenticated attacker associates with the open SSID broadcast by the camera, the device permits direct access to streaming endpoints without requiring authentication, treating network-layer association as implicit authorization. This design pattern reflects a failure to implement defense-in-depth principles typical in consumer IoT devices where network segmentation and application-level access controls are often omitted.
Affected Products
BS Producten Petcam version 33.1.0.0818 is confirmed vulnerable. The CPE data provided (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is insufficiently specific and does not resolve to the actual product vendor or name, indicating incomplete CPE registration in the CVE ecosystem. Technical details and vulnerability analysis are documented in the GitHub repository referenced in the CVE record at https://github.com/victorGoeman/BS-Producten-Petcam-Security-Research/blob/main/CVE-2025-69988.md, which should be consulted for version-specific confirmation and further product identification. No information regarding version ranges before or after 33.1.0.0818 is available from the provided intelligence sources.
Remediation
Remediation requires obtaining and deploying a patched firmware version from BS Producten; however, no specific patched version number or vendor advisory URL is provided in the available data. Users should immediately consult the BS Producten support portal or the referenced GitHub security research repository for patch availability and firmware update procedures. Until a vendor patch is available and deployed, implement network segmentation by isolating the camera to a separate VLAN or guest network with no access to sensitive systems or data, disable wireless connectivity if not required and use only wired Ethernet, or restrict physical access to the camera's operating environment to authorized personnel only. If the device is deployed in a multi-user or public-facing environment, consider temporarily removing it from service until a vendor-confirmed patch can be applied. Users should also review any stored or cached video footage for unauthorized access and change any associated account credentials if the camera integrates with a cloud service.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today