Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV:A confirmed by adjacent-only RTSP exposure; PR:N as no auth required; A:H for service crash causing full stream loss; C/I:N as no data exposure occurs.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n) allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line.
AnalysisAI
Denial of service in the RTSP service of MERCURY MIPC252W IP Camera firmware v1.0.5 Build 230306 Rel.79931n allows an unauthenticated, network-adjacent attacker to crash the streaming service by sending a crafted DESCRIBE request containing a malformed URL in the request line. The root cause is improper input validation (CWE-20) in the RTSP parser, resulting in complete loss of camera availability until the device is rebooted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be on a network-adjacent segment - the same LAN, Wi-Fi broadcast domain, or VLAN as the camera - as confirmed by the CVSS AV:A metric; internet-wide exploitation without prior network access is not possible under this vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is well-calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connected to the same local network or Wi-Fi segment as the MERCURY MIPC252W camera sends a single crafted RTSP DESCRIBE request with a deliberately malformed URL in the request line. The camera's RTSP service fails to validate the URL, crashes, and stops streaming, rendering the surveillance camera blind until manually power-cycled. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42641
GHSA-g3rw-v45p-h99c