Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Adjacent access per description (AV:A) and dependence on capturing a real authentication exchange raises complexity (AC:H); impact is stream disclosure only, so C:H with I:N/A:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.
AnalysisAI
Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be on the adjacent/local network segment as the camera and to first passively capture at least one legitimate RTSP Digest authentication exchange (a real client - NVR or app - must authenticate while the attacker can sniff traffic). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and must be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has joined the same LAN or Wi-Fi as the camera (e.g., a guest network, a compromised IoT device, or an office visitor) passively captures the RTSP handshake when the owner's NVR or mobile app connects. They then open a new RTSP connection to the camera and resend the captured nonce and Digest response, which the camera accepts because the nonce never expired, granting them the live video stream without any credentials. … |
| Remediation | No vendor-released patch identified at time of analysis, so remediation relies on compensating controls. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all MERCURY MIPC252W camera deployments and document network location and access scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42640
GHSA-c8j5-2w73-cw74