Vulners
Lucene search
📄 Xiongmai XM530 ONVIF / RTSP Security Scanner
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2025-65856 | 17 Dec 202521:00 | – | circl |
 | Xiongmai XM530 安全漏洞 | 22 Dec 202500:00 | – | cnnvd |
 | CVE-2025-65856 | 22 Dec 202500:00 | – | cve |
 | CVE-2025-65856 | 22 Dec 202500:00 | – | cvelist |
 | EUVD-2025-204762 | 23 Dec 202500:30 | – | euvd |
 | Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera | 23 Apr 202606:00 | – | ics |
 | CVE-2025-65856 | 22 Dec 202522:16 | – | nvd |
 | CVE-2025-65856 | 22 Dec 202522:16 | – | osv |
 | 📄 Xiongmai XM530 IP Camera Hardcoded RTSP Credential Exposure | 18 Dec 202500:00 | – | packetstorm |
| 📄 Xiongmai XM530 IP Camera ONVIF Complete Authentication Bypass | 18 Dec 202500:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : Xiongmai XM530 ONVIF & RTSP Security Scanner for IP Cameras |
| # Author : [email protected] |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.xiongmaitech.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/213044/ & CVE-2025-65856
[+] Summary : This project is a unified PHP-based security scanner designed to identify critical vulnerabilities in IP cameras,
with a primary focus on ONVIF authentication bypass (CVE-2025-65856) and unauthenticated RTSP stream exposure.
The tool provides a single-file web interface that allows scanning a single IP address or an entire network range (CIDR), detecting exposed services,
fingerprinting device information (manufacturer and model), and assessing risk severity (LOW, MEDIUM, HIGH, CRITICAL).
The scanner is optimized for defensive security assessments and SOC use cases, generating structured JSON-compatible results suitable for SIEM ingestion.
It operates without external libraries, supports AJAX-based scanning without page reloads, and is fully compatible with standard PHP environments such as XAMPP.
[+] Key capabilities include:
Detection of ONVIF authentication bypass vulnerabilities
Identification of exposed RTSP streams without credentials
Automatic severity classification based on exposure level
Device fingerprinting (manufacturer / model when available)
Network-wide scanning via CIDR notation
Lightweight, single-file PHP web interface
Read-only, non-destructive Proof-of-Concept suitable for lawful security testing
[+] POC : How to Use It
Place the file inside: htdocs/camera_scanner.php
Open your browser:http://localhost/camera_scanner.php
Example Input :192.168.1.10 or 192.168.1.0/24
<?php
set_time_limit(0);
error_reporting(E_ALL & ~E_WARNING);
function port_open($ip, $port, $timeout = 2) {
$fp = @fsockopen($ip, $port, $errno, $errstr, $timeout);
if ($fp) {
fclose($fp);
return true;
}
return false;
}
function severity($onvif, $rtsp) {
if ($onvif && $rtsp) return "CRITICAL";
if ($onvif) return "HIGH";
if ($rtsp) return "MEDIUM";
return "LOW";
}
function check_onvif($ip, $port) {
$soap = <<<XML
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<GetDeviceInformation xmlns="http://www.onvif.org/ver10/device/wsdl"/>
</s:Body>
</s:Envelope>
XML;
$opts = [
'http' => [
'method' => "POST",
'header' => "Content-Type: application/soap+xml\r\n",
'content' => $soap,
'timeout' => 3
]
];
$ctx = stream_context_create($opts);
$url = "http://$ip:$port/onvif/device_service";
$res = @file_get_contents($url, false, $ctx);
if ($res && strpos($res, "Manufacturer") !== false) {
preg_match('/<Manufacturer>(.*?)<\/Manufacturer>/', $res, $m);
preg_match('/<Model>(.*?)<\/Model>/', $res, $mo);
return [
"onvif" => true,
"manufacturer" => $m[1] ?? "Unknown",
"model" => $mo[1] ?? "Unknown",
"port" => $port
];
}
return ["onvif" => false];
}
function check_rtsp($ip, $port) {
$fp = @fsockopen($ip, $port, $e, $s, 2);
if ($fp) {
fwrite($fp, "OPTIONS rtsp://$ip RTSP/1.0\r\nCSeq: 1\r\n\r\n");
$r = fread($fp, 256);
fclose($fp);
if (strpos($r, "RTSP") !== false) return true;
}
return false;
}
function scan_ip($ip) {
$onvif = false;
$rtsp = false;
$info = [];
foreach ([80,8899,8080] as $p) {
if (port_open($ip, $p)) {
$r = check_onvif($ip, $p);
if ($r['onvif']) {
$onvif = true;
$info = $r;
break;
}
}
}
foreach ([554,8554] as $p) {
if (port_open($ip, $p) && check_rtsp($ip, $p)) {
$rtsp = true;
$info['rtsp_port'] = $p;
break;
}
}
return [
"ip" => $ip,
"onvif" => $onvif,
"rtsp" => $rtsp,
"manufacturer" => $info['manufacturer'] ?? "-",
"model" => $info['model'] ?? "-",
"severity" => severity($onvif, $rtsp),
"time" => date("Y-m-d H:i:s")
];
}
/* ================= AJAX ================= */
if (isset($_POST['target'])) {
$target = trim($_POST['target']);
$results = [];
if (strpos($target, "/") !== false) {
[$net, $cidr] = explode("/", $target);
$mask = ~((1 << (32 - $cidr)) - 1);
$start = ip2long($net) & $mask;
$end = $start | ~$mask;
for ($i = $start + 1; $i < $end; $i++) {
$ip = long2ip($i);
$r = scan_ip($ip);
if ($r['onvif'] || $r['rtsp']) {
$results[] = $r;
}
}
} else {
$results[] = scan_ip($target);
}
header("Content-Type: application/json");
echo json_encode($results, JSON_PRETTY_PRINT);
exit;
}
?>
<!DOCTYPE html>
<html lang="ar" dir="rtl">
<head>
<meta charset="utf-8">
<title>Camera Security Scanner</title>
<style>
body{font-family:tahoma;background:#0f172a;color:#e5e7eb}
.box{width:900px;margin:30px auto;background:#020617;padding:20px;border-radius:10px}
input,button{padding:10px;width:100%;margin:5px 0}
button{background:#2563eb;color:#fff;border:0;cursor:pointer}
pre{background:#020617;padding:10px;max-height:400px;overflow:auto}
.CRITICAL{color:#dc2626}
.HIGH{color:#f97316}
.MEDIUM{color:#eab308}
</style>
</head>
<body>
<div class="box">
<h2>🔍 فحص كاميرات ONVIF / RTSP</h2>
<input id="target" placeholder="192.168.1.10 أو 192.168.1.0/24">
<button onclick="scan()">ابدأ الفحص</button>
<pre id="out"></pre>
</div>
<script>
function scan(){
document.getElementById("out").textContent="جاري الفحص...";
fetch("",{
method:"POST",
headers:{"Content-Type":"application/x-www-form-urlencoded"},
body:"target="+encodeURIComponent(document.getElementById("target").value)
})
.then(r=>r.json())
.then(d=>{
let o="";
d.forEach(x=>{
o+=`[${x.severity}] ${x.ip} | ONVIF:${x.onvif} RTSP:${x.rtsp}\n`;
});
document.getElementById("out").textContent=o;
});
}
</script>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Feb 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 3.19.8
EPSS0.00465
SSVC