CVE-2025-10538 is an authentication bypass vulnerability identified in LG Innotek camera models LND7210 and LNV7210R. The vulnerability is categorized under CWE-288, which involves bypassing authentication using alternate paths or channels. This means that the cameras' authentication mechanisms can be circumvented by exploiting a flaw in how the device processes authentication requests, allowing an attacker to gain unauthorized access without providing valid credentials. The vulnerability has a CVSS 4.0 base score of 8.8, indicating high severity. The vector string (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N) shows that the attack can be performed remotely over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N). The impact on confidentiality is high (VC:H), while integrity and availability impacts are low (VI:L, VA:L). This suggests attackers can access sensitive information but may have limited ability to alter or disrupt device operation. The vulnerability affects all versions of the specified models (affectedVersions: 0 indicates all versions). No patches or fixes have been released yet, and no known exploits are reported in the wild. The flaw allows attackers to access camera information, including user account details, potentially enabling further compromise or surveillance. The root cause is likely improper validation or handling of authentication requests via alternate communication paths or channels within the device firmware or software stack.

For European organizations, this vulnerability poses significant risks, particularly for entities relying on LG Innotek cameras for security, surveillance, or operational monitoring. Unauthorized access to camera feeds and user account information can lead to privacy violations, espionage, and unauthorized surveillance. Confidentiality of sensitive environments, such as government buildings, corporate offices, or critical infrastructure, could be compromised. The ability to bypass authentication without user interaction or privileges increases the likelihood of automated or remote exploitation attempts. Although integrity and availability impacts are low, the exposure of user credentials could facilitate lateral movement or further attacks within the network. The absence of patches means organizations must rely on network-level mitigations, increasing operational complexity. The threat is particularly acute for sectors with high security requirements, including public administration, defense, finance, and healthcare. Additionally, the vulnerability could undermine trust in IoT device security, impacting broader adoption and compliance with European data protection regulations such as GDPR.

Given the lack of available patches, European organizations should implement immediate compensating controls. First, identify and inventory all LG Innotek LND7210 and LNV7210R cameras within the network. Restrict network access to these devices by segmenting them into isolated VLANs or dedicated subnets with strict firewall rules limiting inbound and outbound traffic. Disable any remote access features or services not essential for operation, especially those exposed to the internet. Employ strong network monitoring and intrusion detection systems to detect anomalous access patterns or unauthorized connection attempts targeting these cameras. Change default credentials and enforce strong authentication policies where possible, even though the vulnerability bypasses authentication, to reduce risk from other attack vectors. Consider replacing vulnerable devices with models from vendors with a stronger security track record if feasible. Engage with LG Innotek for updates on patches or firmware upgrades addressing this vulnerability. Finally, educate security teams about this specific threat to ensure rapid response to any suspicious activity involving these cameras.