Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A null pointer dereference vulnerability exists in the RTSP service of the MERCURY MIPC252W 1.0.5 Build 230306 Rel.79931n. During the processing of a SETUP request for the path rtsp://<IP>:554/stream1/track2, the device fails to properly validate the Transport header field. When this header is improperly constructed, the RTSP service can dereference a NULL pointer during request parsing. Successful exploitation causes the device to crash and automatically reboot.
AnalysisAI
Denial of service in MERCURY MIPC252W IP camera firmware 1.0.5 Build 230306 Rel.79931n allows remote unauthenticated attackers to crash the device via malformed RTSP SETUP request. Exploitation triggers a null pointer dereference in the RTSP service during Transport header parsing, forcing an automatic reboot. EPSS score of 0.01% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis beyond the researcher's GitHub documentation.
Technical ContextAI
RTSP (Real-Time Streaming Protocol) is a network control protocol used in IP cameras and streaming devices to manage media sessions over ports 554/8554. This vulnerability manifests as a CWE-476 null pointer dereference in the RTSP service implementation of MERCURY MIPC252W firmware. When processing a SETUP request targeting the stream endpoint rtsp://<IP>:554/stream1/track2, the device's RTSP parser fails to validate the Transport header field structure before dereferencing it. In C/C++ implementations common in embedded devices, missing null checks before pointer access can cause segmentation faults leading to process crashes. The automatic reboot behavior suggests the device lacks fault isolation between the RTSP service and the core system, allowing a single service crash to trigger a full device restart. CPE data is incomplete (cpe:2.3:a:n/a:n/a), but the affected product is confirmed as MERCURY brand IP camera model MIPC252W running firmware version 1.0.5 Build 230306 Rel.79931n.
RemediationAI
No vendor-released patch identified at time of analysis. Check MERCURY official website or contact regional distributor for firmware updates newer than Build 230306 Rel.79931n. Compensating controls with specific trade-offs: (1) Block external access to RTSP port 554 at perimeter firewall - prevents remote exploitation but disables remote viewing functionality entirely. (2) Implement network segmentation to isolate IP cameras on dedicated VLAN with restrictive ingress rules allowing only authenticated management stations - reduces attack surface but requires network infrastructure changes and complicates initial deployment. (3) Deploy inline monitoring to detect repeated device reboots as indicator of exploitation attempts - provides detection capability but does not prevent the denial of service condition. (4) Replace device with alternative IP camera models from vendors with active security support programs - eliminates vulnerability but incurs hardware replacement costs. For critical surveillance applications, consider (2) and (3) in combination pending vendor patch availability. Consult researcher disclosure at https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_1th/README.md for technical exploitation details to inform detection signatures.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25899