CVE-2024-46959 identifies a security vulnerability in the runofast Indoor Security Camera for Baby Monitor, where the root account is configured with a default password 'password'. This weak credential allows any remote attacker to connect to the device's RTSP service without authentication and access the /stream1 URI, thereby receiving the live video and audio stream. The vulnerability is classified under CWE-259 (Use of Hard-coded Password) and has a CVSS v3.1 base score of 6.5, indicating medium severity. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same local network or have network access to the device. No privileges or user interaction are required, and the scope is unchanged. The impact is high on confidentiality as sensitive video and audio data can be intercepted, but integrity and availability remain unaffected. No patches or firmware updates are currently available, and no exploits have been reported in the wild. The vulnerability highlights poor security hygiene in IoT device manufacturing, particularly the use of default credentials that are widely known and easily exploitable.

The primary impact of this vulnerability is the compromise of confidentiality for users of the runofast Indoor Security Camera for Baby Monitor. Attackers can remotely access live video and audio streams, potentially exposing sensitive personal or family information. This can lead to privacy violations, stalking, or targeted attacks against individuals, especially given the sensitive context of baby monitoring. Although the vulnerability does not allow modification of the stream or denial of service, the exposure of private footage can have severe reputational and emotional consequences. Organizations deploying these devices in homes, daycare centers, or healthcare facilities risk unauthorized surveillance. The lack of patches or mitigations from the vendor increases the risk of exploitation if attackers gain network access. The medium CVSS score reflects the balance between the ease of exploitation and the limited scope of impact to confidentiality only.

To mitigate this vulnerability, users and organizations should immediately change the default root password to a strong, unique password to prevent unauthorized access. Network segmentation is critical: isolate IoT devices like baby monitors on separate VLANs or subnets with strict firewall rules to limit access to trusted devices only. Disable RTSP streaming if not required or restrict RTSP access via network controls. Monitor network traffic for unusual RTSP connections or unauthorized access attempts. Regularly audit IoT devices for default credentials and insecure configurations. Vendors should be pressured to release firmware updates that enforce unique credentials per device and disable default passwords. Additionally, consider replacing vulnerable devices with models that follow secure development practices and support regular security updates. Employing network intrusion detection systems (NIDS) capable of identifying RTSP anomalies can provide early warning of exploitation attempts.