CVE-2025-62674 identifies a vulnerability in the iCam365 P201 IP camera, where the Real Time Streaming Protocol (RTSP) service is accessible without authentication due to improper access control (CWE-306). RTSP is commonly used for streaming video and audio from IP cameras. In this case, the lack of authentication allows an attacker with network access to connect to the RTSP service and retrieve sensitive camera configuration information, which may include network settings, user credentials, or streaming parameters. The vulnerability has a CVSS 4.0 base score of 7.0, indicating high severity. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same local network or connected via VPN. The attack complexity is low (AC:L), no privileges are required (PR:L, low privileges), and no user interaction is needed (UI:N). The impact on confidentiality is high (VC:H), while integrity and availability impacts are low (VI:L, VA:L). This suggests that while the attacker can access sensitive information, the ability to alter or disrupt the device is limited but not negligible. The vulnerability was published on November 20, 2025, with no patches currently available and no known exploits in the wild. The flaw arises from a failure to enforce authentication on RTSP endpoints, a critical oversight given the sensitive nature of surveillance devices. Attackers exploiting this vulnerability could gain unauthorized insight into camera configurations, potentially facilitating further attacks such as lateral movement, surveillance evasion, or device manipulation.

For European organizations, this vulnerability poses significant risks, particularly for entities relying on iCam365 P201 cameras for security, surveillance, or operational monitoring. Unauthorized access to camera configurations can lead to exposure of sensitive information, including network topology and credentials, which could be leveraged for broader network intrusion. Confidentiality breaches may compromise privacy and data protection compliance under GDPR. Integrity and availability impacts, though rated low, could still disrupt surveillance operations, affecting physical security and safety. Critical infrastructure sectors such as transportation, energy, and government facilities using these cameras are at heightened risk. The vulnerability's exploitation could facilitate espionage, unauthorized surveillance, or sabotage. Given the lack of patches, organizations face a window of exposure requiring immediate compensating controls. The adjacent network attack vector means internal network security posture is crucial; compromised or poorly segmented networks increase exploitation likelihood. Overall, the vulnerability undermines trust in surveillance systems and may have cascading effects on organizational security postures.

To mitigate CVE-2025-62674, European organizations should implement the following specific measures: 1) Immediately isolate iCam365 P201 devices on dedicated, segmented VLANs with strict access controls to limit network exposure to trusted hosts only. 2) Disable RTSP services on these devices if streaming functionality is not required, reducing the attack surface. 3) Employ network-level authentication and encryption mechanisms such as VPNs or IPsec tunnels for remote access to camera networks. 4) Monitor network traffic for unusual RTSP connection attempts or unauthorized access patterns using IDS/IPS solutions tuned for RTSP anomalies. 5) Regularly audit device configurations and firmware versions to detect unauthorized changes or updates. 6) Engage with the vendor for timeline on patches or firmware updates and apply them promptly once available. 7) Implement strong network segmentation between surveillance systems and critical IT infrastructure to prevent lateral movement. 8) Educate security teams on this specific vulnerability and incorporate it into incident response playbooks. These targeted actions go beyond generic advice by focusing on network architecture, service management, and proactive monitoring tailored to the RTSP access vector and device capabilities.