CVE-2025-11757 is a vulnerability classified under CWE-155 (Improper Neutralization of Wildcards or Matching Symbols) affecting CloudEdge App version 4.4.2. The issue stems from the CloudEdge Cloud service's failure to sanitize MQTT topic inputs properly. MQTT is a lightweight messaging protocol widely used in IoT environments, where topics define message routing. The vulnerability allows an attacker to exploit MQTT wildcards (such as '#' or '+') to subscribe to a broad range of topics beyond their authorized scope. By doing so, the attacker can intercept messages intended for other users, which include sensitive data such as credentials and cryptographic keys necessary for establishing peer-to-peer connections to CloudEdge cameras. This unauthorized access compromises the confidentiality of video streams and control commands. The vulnerability can be exploited remotely without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality. Although no exploits are currently known in the wild, the potential for abuse is significant given the sensitive nature of the data exposed. The lack of input validation and topic filtering in MQTT subscriptions is the root cause, highlighting a critical design flaw in the CloudEdge Cloud service's message handling. This vulnerability could enable attackers to surveil or manipulate IoT camera feeds, posing privacy and security risks.

For European organizations, the impact of CVE-2025-11757 is substantial, particularly for those deploying CloudEdge IoT cameras in critical infrastructure, corporate environments, or smart city projects. Unauthorized access to camera credentials and keys can lead to privacy violations, espionage, and unauthorized surveillance. Compromised camera feeds may expose sensitive corporate or personal information, undermining GDPR compliance and data protection mandates. Additionally, attackers could leverage intercepted credentials to pivot within networks or disrupt camera operations, affecting availability indirectly. The vulnerability's remote exploitability without authentication increases the attack surface, especially in organizations with exposed MQTT brokers or insufficient network segmentation. The breach of confidentiality could also damage organizational reputation and lead to regulatory penalties. Given the growing reliance on IoT devices in Europe, this vulnerability poses a risk to both private and public sector entities.

To mitigate CVE-2025-11757, organizations should: 1) Monitor CloudEdge vendor communications and apply security patches immediately once released. 2) Implement strict MQTT topic access controls, ensuring clients can only subscribe to authorized topics without wildcard permissions. 3) Employ input validation and sanitization on MQTT topic strings at the broker and application layers to prevent wildcard abuse. 4) Segment IoT networks to isolate camera devices and MQTT brokers from critical enterprise systems, limiting lateral movement. 5) Use MQTT brokers that support authentication and authorization mechanisms to enforce topic-level permissions. 6) Conduct regular security audits and penetration testing focused on IoT messaging protocols. 7) Educate administrators on secure MQTT configuration best practices. 8) Consider deploying network intrusion detection systems (NIDS) tuned to detect anomalous MQTT subscription patterns. These measures go beyond generic advice by focusing on protocol-specific controls and network architecture adjustments tailored to this vulnerability.