Skip to main content

MERCURY MIPC252W CVE-2026-51598

| EUVDEUVD-2026-42641 MEDIUM
Improper Input Validation (CWE-20)
2026-07-09 cve@mitre.org GHSA-g3rw-v45p-h99c
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

AV:A confirmed by adjacent-only RTSP exposure; PR:N as no auth required; A:H for service crash causing full stream loss; C/I:N as no data exposure occurs.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 19:31 vuln.today
CVSS changed
Jul 09, 2026 - 18:22 NVD
6.5 (MEDIUM)
CVE Published
Jul 09, 2026 - 17:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n) allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line.

AnalysisAI

Denial of service in the RTSP service of MERCURY MIPC252W IP Camera firmware v1.0.5 Build 230306 Rel.79931n allows an unauthenticated, network-adjacent attacker to crash the streaming service by sending a crafted DESCRIBE request containing a malformed URL in the request line. The root cause is improper input validation (CWE-20) in the RTSP parser, resulting in complete loss of camera availability until the device is rebooted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent network access
Delivery
Craft RTSP DESCRIBE request with malformed URL
Exploit
Send request to camera RTSP port 554
Execution
Trigger input validation failure in RTSP parser
Persist
RTSP service crash
Impact
Camera stream unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be on a network-adjacent segment - the same LAN, Wi-Fi broadcast domain, or VLAN as the camera - as confirmed by the CVSS AV:A metric; internet-wide exploitation without prior network access is not possible under this vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is well-calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connected to the same local network or Wi-Fi segment as the MERCURY MIPC252W camera sends a single crafted RTSP DESCRIBE request with a deliberately malformed URL in the request line. The camera's RTSP service fails to validate the URL, crashes, and stops streaming, rendering the surveillance camera blind until manually power-cycled. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-51598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy