CVE-2025-41017 is an access control vulnerability identified in Davantis DFUSION, a security camera management product widely used for video surveillance systems. The flaw stems from inadequate authorization checks on the API endpoint /cameras/<CAMERA_ID>/perspective, which returns perspective parameters related to camera configuration. These parameters can include camera angles, zoom levels, and other settings that define how the camera views an area. Because the endpoint lacks proper access controls, any unauthenticated actor can retrieve this sensitive information remotely. This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper permission checks before disclosing sensitive data. The affected versions are all releases prior to 6.186.1, with the vulnerability publicly disclosed on November 24, 2025. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality impact (VC:L). No integrity or availability impacts are noted. Although no exploits have been reported in the wild, the exposure of camera perspective parameters could facilitate further attacks such as physical intrusion planning or targeted cyber-physical attacks. The vulnerability affects the confidentiality of security camera configurations, which are critical for maintaining the security posture of monitored facilities. The lack of authentication requirement and remote accessibility increase the risk profile, especially in environments where the management interface is exposed to untrusted networks.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality of physical security infrastructure. Unauthorized disclosure of camera perspective parameters can enable attackers to better understand surveillance coverage, identify blind spots, and plan physical intrusions or sabotage. Critical infrastructure sectors such as transportation hubs, government facilities, energy plants, and financial institutions that rely on Davantis DFUSION for video surveillance are particularly vulnerable. The exposure could also facilitate insider threats or espionage by revealing sensitive operational details. While the vulnerability does not directly impact system integrity or availability, the indirect consequences of compromised physical security can be severe, including theft, vandalism, or disruption of services. Organizations with remote or internet-facing management interfaces are at higher risk. The absence of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation without authentication means attackers could quickly develop weaponized tools. Overall, the impact is a moderate confidentiality breach with potential cascading effects on physical and operational security.

European organizations should immediately assess their exposure to this vulnerability by identifying all instances of Davantis DFUSION prior to version 6.186.1. Since no official patch links are provided, organizations should contact Davantis support for updates or interim fixes. In the meantime, restrict network access to the management interface by implementing network segmentation and firewall rules to limit access only to trusted administrative hosts. Employ VPNs or zero-trust network access solutions to secure remote management connections. Enable logging and monitoring on the management interface to detect unauthorized access attempts to the /cameras/<CAMERA_ID>/perspective endpoint. Consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthenticated requests targeting this endpoint. Conduct regular security audits and penetration tests focusing on access control enforcement in video surveillance systems. Educate security personnel about the risks of exposing camera configuration data and incorporate this vulnerability into incident response plans. Finally, plan for timely patch deployment once official updates become available to fully remediate the issue.