Skip to main content

MERCURY MIPC252W CVE-2026-35902

| EUVDEUVD-2026-25903 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-27 mitre
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 28, 2026 - 14:22 vuln.today
CVSS changed
Apr 28, 2026 - 14:22 NVD
6.2 (MEDIUM)
EUVD ID Assigned
Apr 27, 2026 - 19:00 euvd
EUVD-2026-25903
Analysis Generated
Apr 27, 2026 - 19:00 vuln.today
CVE Published
Apr 27, 2026 - 00:00 nvd
MEDIUM 6.2

DescriptionCVE.org

The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication failure state, preventing legitimate clients from authenticating and leading to a denial of service.

AnalysisAI

Denial of service in MERCURY IP camera MIPC252W version 1.0.5 Build 230306 allows unauthenticated local attackers to trigger persistent authentication failure in the RTSP service by sending repeated requests with invalid Digest authentication parameters, preventing legitimate clients from authenticating and causing service unavailability.

Technical ContextAI

The RTSP (Real Time Streaming Protocol) service in the MERCURY MIPC252W IP camera implements Digest authentication as a security mechanism. The vulnerability stems from improper handling of failed authentication attempts (CWE-307: Improper Restriction of Rendered UI Layers or Frames, though this CVE more closely relates to authentication state management). When an attacker sends multiple RTSP requests with malformed or invalid Digest authentication credentials, the service enters a persistent failure state rather than recovering gracefully, becoming unable to process subsequent authentication attempts from legitimate users. This affects the RTSP streaming subsystem, which is a core component of IP camera functionality for video transmission.

RemediationAI

Upgrade MERCURY MIPC252W firmware to a patched version if available from MERCURY; contact the vendor for guidance on available firmware updates and timelines. If a patched version is not available, implement the following compensating controls: (1) Restrict RTSP port 554 access at the network firewall to only authorized IP addresses or network segments - this eliminates remote exploitation but does not prevent local network attacks; (2) Isolate the camera on a separate VLAN or network segment, restricting access from untrusted devices or users; (3) Implement network-based rate limiting on RTSP requests to the camera to slow brute-force authentication attempts, though this may impact legitimate streaming; (4) Monitor RTSP service logs for repeated authentication failures and alert on anomalies; (5) Configure automatic camera reboot on a regular schedule (e.g., nightly) to clear any persistent authentication failure state. Note that none of these controls address the root cause; they reduce attack surface and likelihood rather than eliminating the vulnerability. Refer to the MERCURY support documentation or contact the vendor's security team for availability of vendor advisory and patch information.

Share

CVE-2026-35902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy