Vulners
Lucene search
📄 Xiongmai XM530 IP Camera ONVIF Complete Authentication Bypass
🗓️ 18 Dec 2025 00:00:00Reported by Luis Miranda AcebedoType 
packetstorm🔗 packetstorm.news👁 681 Views
| Reporter | Title | Published | Views | Family All 65 |
|---|---|---|---|---|
 | XiongMai uc-httpd 1.0.0 - Buffer Overflow Exploit | 9 Jun 201800:00 | – | zdt |
| XMeye P2P Cloud Remote Code Execution / Integrity Issues Vulnerabilities | 10 Oct 201800:00 | – | zdt |
 | Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Xiongmaitech Ahb7008F8-H_Firmware | 13 Apr 201807:43 | – | githubexploit |
 | CVE-2018-10088 | 8 Jun 201800:00 | – | attackerkb |
 | The vulnerability of Xiongmai Technology’s micro-programmed software for IP cameras and video recorders, related to buffer overflow attacks, allows intruders to execute arbitrary codes or trigger an emergency shutdown of the devices. | 15 Feb 201800:00 | – | bdu_fstec |
 | CVE-2017-16725 | 29 Mar 202302:14 | – | circl |
| CVE-2018-10088 | 18 Jun 201809:04 | – | circl |
| CVE-2018-17915 | 10 Oct 201814:36 | – | circl |
| CVE-2025-65856 | 17 Dec 202521:00 | – | circl |
| CVE-2025-65857 | 17 Dec 202521:00 | – | circl |
10
# CVE-2025-65856
**Xiongmai XM530 IP Camera ONVIF Complete Authentication Bypass**
---
## Summary
Complete authentication bypass in the ONVIF implementation of Xiongmai XM530-series IP cameras allows unauthenticated remote access to sensitive device information, configuration, and video streams.
**CVE ID:** CVE-2025-65856
**Severity:** CRITICAL
**CVSS v3.1 Score:** 9.8
**CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
### CVSS Breakdown
* **Attack Vector (AV):** Network - Remotely exploitable
* **Attack Complexity (AC):** Low - No special conditions required
* **Privileges Required (PR):** None - No authentication needed
* **User Interaction (UI):** None - Zero-click exploitation
* **Confidentiality/Integrity/Availability:** High - Complete device compromise
---
## Affected Products
**Vendor:** Hangzhou Xiongmai Technology Co., Ltd.
**Product:** IP Camera XM530V200_X6-WEQ_8M
**Commercial Brand:** ANBIUX (and hundreds of OEM rebrands)
**Firmware:** V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 and likely all V5.00.R02.* versions
**Component:** ONVIF Web Service Implementation
**Device Context:**
Xiongmai is a major OEM supplier of IP cameras sold under hundreds of brand names globally. These cameras are widely deployed in residential, commercial, and industrial surveillance systems.
---
## Vulnerability Details
The ONVIF web service implementation fails to enforce authentication on 31 critical endpoints that should require credentials per ONVIF specifications.
**Technical Details:**
1. **Missing WS-Security Authentication (CWE-306)**
* ONVIF endpoints accept unauthenticated SOAP requests
* No validation of Security headers
* Standard ONVIF authentication completely bypassed
2. **Affected Endpoints (partial list):**
* `GetDeviceInformation` - Hardware/firmware details
* `GetUsers` - User account information
* `GetStreamUri` - RTSP stream URIs with credentials
* `GetSnapshotUri` - Still image URIs
* `GetNetworkInterfaces` - Network configuration
* `GetNetworkProtocols` - Enabled services/ports
* `GetDNS` / `GetNTP` - DNS and NTP configuration
* `GetPresets` / `GetNodes` - PTZ configuration
* `SetRelayOutputState` - Control relay outputs (alarms)
* ... and 22 additional critical endpoints
3. **Attack Surface:**
* Common ports: 80, 8000, 8080, 8899
* No rate limiting observed
* Thousands of devices exposed to internet (Shodan: `port:80 "Server: uc-httpd"` or `port:8899 "XM"`)
---
## Impact
An unauthenticated remote attacker can:
* Access live video and audio streams
* Obtain complete device configuration
* Enumerate user accounts and credentials
* Control PTZ (Pan-Tilt-Zoom) functions
* Manipulate relay outputs (alarm systems)
* Perform network reconnaissance
* Extract RTSP credentials (see CVE-2025-65857)
**Privacy Impact:** Direct violation of GDPR and privacy regulations. Enables mass surveillance operations.
**Combined with CVE-2025-65857:** Complete zero-authentication access to live video streams.
---
## Proof of Concept
**Basic ONVIF Request (No Authentication):**
```bash
curl -X POST http://[CAMERA_IP]:8899/onvif/device_service \
-H "Content-Type: application/soap+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body xmlns:tds="http://www.onvif.org/ver10/device/wsdl">
<tds:GetDeviceInformation/>
</s:Body>
</s:Envelope>'
```
**Expected:** Authentication required
**Actual:** Full device information returned without credentials
Complete PoC testing all 31 vulnerable endpoints available to security researchers upon request.
---
## Mitigation
### For Users (Immediate):
* **Network Isolation:** Place cameras on isolated VLAN with no internet access
* **Firewall Rules:** Block inbound connections to ports 80, 8000, 8080, 8899, 554
* **Disable ONVIF:** Check camera settings for option to disable ONVIF protocol
* **VPN-Only Access:** Never expose cameras directly to internet
* **Consider Replacement:** Given vendor's security history, replacement recommended
### For Vendor:
* Implement proper WS-Security authentication on all ONVIF endpoints
* Follow ONVIF Core Specification security requirements
* Add rate limiting and brute force protection
* Enable security logging and alerts
**No patch currently available.**
---
## Timeline
* **November 2025:** Vulnerability discovered during security assessment
* **December 16, 2025:** CVE-2025-65856 assigned by MITRE (Service Request: 1954988)
* **December 17, 2025:** Vendor contact attempted via [email protected] (email delivery failed - server misconfigured)
* **December 17, 2025:** Alternative contact attempted via [email protected] (email delivery failed)
* **December 17, 2025:** Public disclosure
**Vendor Response:** No response received. Official security contact infrastructure non-functional.
---
## Credits
**Discovered by:** Luis Miranda Acebedo
**Location:** Vigo, Galicia, Spain
**Contact:** [email protected]
---
## References
* **CVE:** https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-65856
* **Related:** CVE-2025-65857 (Hardcoded RTSP Credentials)
* **CWE-306:** https://cwe.mitre.org/data/definitions/306.html
* **ONVIF Spec:** https://www.onvif.org/specs/core/ONVIF-Core-Specification.pdf
* **Vendor History:**
* CVE-2017-16725 (Directory traversal, unpatched)
* CVE-2018-10088 (Authentication bypass, unpatched)
* CVE-2018-17915, 17917, 17919 (XMEye P2P vulnerabilities)
* Mirai botnet contributor (2016)
* SEC Consult Advisory (2018): "Recommend discontinuing Xiongmai products"
This site is open source. [Improve this page](https://github.com/LuisMirandaAcebedo/CVE-2025-65856/edit/main/README.md).Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Dec 2025 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 39.8
CVSS 210
CVSS 3.19.8
EPSS0.40386
SSVC