CVE-2025-62674 is a vulnerability identified in the iCam365 P201 camera system, classified under CWE-306, which relates to missing or inadequate authentication controls. The vulnerability specifically affects the Real Time Streaming Protocol (RTSP) services of the device, allowing unauthenticated remote attackers to access camera configuration information. This access could reveal sensitive details about the camera setup, potentially enabling attackers to manipulate device settings or intercept video streams. The CVSS 4.0 base score is 7.0 (high), reflecting the vulnerability's characteristics: it requires adjacent network access (AV:A), has low attack complexity (AC:L), does not require authentication (AT:N), but does require low privileges (PR:L). No user interaction is needed (UI:N), and the impact on confidentiality is high (C:H), with low impact on integrity (I:L) and availability (A:L). The vulnerability does not affect system confidentiality (SC:N), integrity (SI:N), or availability (SA:N) beyond the RTSP service. The flaw is currently published and reserved by ICS-CERT, but no patches or known exploits are reported yet. The lack of authentication on RTSP services is a critical security oversight, as RTSP is commonly used for streaming video feeds from IP cameras. Attackers exploiting this vulnerability could gain unauthorized insight into camera configurations, potentially leading to privacy breaches or further exploitation of the device or network.

For European organizations, this vulnerability poses significant risks, especially for entities relying on iCam365 P201 cameras for security surveillance, such as government facilities, critical infrastructure, transportation hubs, and corporate environments. Unauthorized access to camera configuration data can lead to privacy violations, unauthorized surveillance, and potential manipulation of camera settings, undermining physical security measures. The exposure of RTSP streams could also facilitate interception or replay attacks, compromising the confidentiality and integrity of video feeds. Given the high confidentiality impact and ease of exploitation without user interaction, attackers could remotely access sensitive information with minimal effort. This could result in regulatory non-compliance under GDPR if personal data is exposed, reputational damage, and operational disruptions. The threat is particularly relevant for organizations with cameras accessible on internal or adjacent networks, including those using remote management or monitoring solutions that expose RTSP services.

1. Immediately restrict network access to RTSP services on iCam365 P201 devices by implementing network segmentation and firewall rules that limit RTSP traffic to trusted management networks only. 2. Disable RTSP services if not required or replace them with more secure streaming protocols that enforce authentication and encryption. 3. Monitor network traffic for unusual RTSP connection attempts or unauthorized access patterns using intrusion detection systems (IDS) or network monitoring tools. 4. Apply vendor patches or firmware updates as soon as they become available to address the authentication flaw. 5. Conduct a thorough inventory of all iCam365 P201 devices within the organization and verify their firmware versions and configurations. 6. Implement strong access control policies for camera management interfaces, including multi-factor authentication where possible. 7. Educate security teams about the risks associated with unauthenticated RTSP access and incorporate this vulnerability into incident response plans. 8. Consider deploying network-level authentication gateways or VPNs to secure remote access to camera streams. 9. Regularly audit camera configurations and logs to detect unauthorized changes or access attempts.