Skip to main content

MERCURY MIPC252W EUVDEUVD-2026-25904

| CVE-2026-35903 CRITICAL
Improper Authentication (CWE-287)
2026-04-27 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 28, 2026 - 16:23 vuln.today
CVSS changed
Apr 28, 2026 - 16:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 27, 2026 - 19:00 euvd
EUVD-2026-25904
Analysis Generated
Apr 27, 2026 - 19:00 vuln.today
CVE Published
Apr 27, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response.

AnalysisAI

Authentication bypass in MERCURY MIPC252W IP camera 1.0.5 allows remote unauthenticated attackers to hijack authenticated RTSP sessions and execute unauthorized camera control commands. After an initial valid Digest authentication in a DESCRIBE request, the device fails to validate subsequent RTSP request credentials (SETUP, PLAY, TEARDOWN), accepting empty or invalid Authorization headers as long as session parameters match. This enables complete camera takeover including video stream access, configuration changes, and service disruption without credential brute-forcing. EPSS score of 0.01% suggests minimal observed exploitation activity, though the attack complexity is low (AV:N/AC:L/PR:N) and public PoC exists on GitHub.

Technical ContextAI

The vulnerability stems from improper implementation of the RTSP (Real Time Streaming Protocol) Digest authentication scheme, classified as CWE-287 (Improper Authentication). RTSP typically requires Digest authentication for each method request using challenge-response with MD5 hashing of credentials, nonce, URI, and other parameters. The MERCURY MIPC252W firmware 1.0.5 Build 230306 Rel.79931n correctly validates credentials during the initial DESCRIBE handshake but fails to re-validate the 'response' parameter in the Authorization header for subsequent session operations. The device only checks session identifiers and nonce values, creating a session fixation vulnerability where an attacker monitoring network traffic can extract these non-secret parameters from legitimate sessions and replay them with fabricated Authorization headers. This represents a fundamental breakdown in stateful authentication verification within the RTSP server implementation.

RemediationAI

No vendor-released patch identified at time of analysis. MERCURY has not published a security advisory or firmware update addressing CVE-2026-35903 based on available references. Organizations should implement immediate compensating controls: isolate affected cameras on a dedicated VLAN with strict firewall rules blocking RTSP port 554 from untrusted networks; disable RTSP streaming if not operationally required and use alternative access methods (HTTPS web interface, proprietary protocols); implement network access control (802.1X) to prevent unauthorized devices from capturing session traffic; deploy TLS/encrypted tunnels (VPN) for all camera management traffic to prevent session parameter interception; monitor RTSP connection logs for anomalous session patterns (multiple IPs using same session ID, rapid succession of SETUP requests). Note that disabling RTSP eliminates streaming functionality used by third-party NVR systems and may require infrastructure changes. VLANing requires careful planning to maintain legitimate access from monitoring stations. Contact MERCURY technical support to request patched firmware and inquire about product end-of-life status. Consider hardware replacement if vendor support is discontinued.

Share

EUVD-2026-25904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy