Skip to main content

MERCURY MIPC252W CVE-2026-51597

| EUVDEUVD-2026-42640 CRITICAL
Authentication Bypass by Capture-replay (CWE-294)
2026-07-09 cve@mitre.org GHSA-c8j5-2w73-cw74
9.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
5.3 MEDIUM

Adjacent access per description (AV:A) and dependence on capturing a real authentication exchange raises complexity (AC:H); impact is stream disclosure only, so C:H with I:N/A:N.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 10, 2026 - 18:26 vuln.today
CVSS changed
Jul 10, 2026 - 18:22 NVD
9.1 (CRITICAL)
CVE Published
Jul 09, 2026 - 17:16 cve.org
CRITICAL 9.1
CVE Published
Jul 09, 2026 - 17:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.

AnalysisAI

Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join adjacent LAN/Wi-Fi segment
Delivery
Sniff legitimate RTSP Digest handshake
Exploit
Capture valid nonce and response
Execution
Open new RTSP connection
Persist
Replay captured nonce/response
Impact
Access live video stream

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be on the adjacent/local network segment as the camera and to first passively capture at least one legitimate RTSP Digest authentication exchange (a real client - NVR or app - must authenticate while the attacker can sniff traffic). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and must be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has joined the same LAN or Wi-Fi as the camera (e.g., a guest network, a compromised IoT device, or an office visitor) passively captures the RTSP handshake when the owner's NVR or mobile app connects. They then open a new RTSP connection to the camera and resend the captured nonce and Digest response, which the camera accepts because the nonce never expired, granting them the live video stream without any credentials. …
Remediation No vendor-released patch identified at time of analysis, so remediation relies on compensating controls. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MERCURY MIPC252W camera deployments and document network location and access scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-51597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy