Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication failure state, preventing legitimate clients from authenticating and leading to a denial of service.
AnalysisAI
Denial of service in MERCURY IP camera MIPC252W version 1.0.5 Build 230306 allows unauthenticated local attackers to trigger persistent authentication failure in the RTSP service by sending repeated requests with invalid Digest authentication parameters, preventing legitimate clients from authenticating and causing service unavailability.
Technical ContextAI
The RTSP (Real Time Streaming Protocol) service in the MERCURY MIPC252W IP camera implements Digest authentication as a security mechanism. The vulnerability stems from improper handling of failed authentication attempts (CWE-307: Improper Restriction of Rendered UI Layers or Frames, though this CVE more closely relates to authentication state management). When an attacker sends multiple RTSP requests with malformed or invalid Digest authentication credentials, the service enters a persistent failure state rather than recovering gracefully, becoming unable to process subsequent authentication attempts from legitimate users. This affects the RTSP streaming subsystem, which is a core component of IP camera functionality for video transmission.
RemediationAI
Upgrade MERCURY MIPC252W firmware to a patched version if available from MERCURY; contact the vendor for guidance on available firmware updates and timelines. If a patched version is not available, implement the following compensating controls: (1) Restrict RTSP port 554 access at the network firewall to only authorized IP addresses or network segments - this eliminates remote exploitation but does not prevent local network attacks; (2) Isolate the camera on a separate VLAN or network segment, restricting access from untrusted devices or users; (3) Implement network-based rate limiting on RTSP requests to the camera to slow brute-force authentication attempts, though this may impact legitimate streaming; (4) Monitor RTSP service logs for repeated authentication failures and alert on anomalies; (5) Configure automatic camera reboot on a regular schedule (e.g., nightly) to clear any persistent authentication failure state. Note that none of these controls address the root cause; they reduce attack surface and likelihood rather than eliminating the vulnerability. Refer to the MERCURY support documentation or contact the vendor's security team for availability of vendor advisory and patch information.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25903