This vulnerability affects Xiongmai XM530 IP cameras on a specific firmware version. The GetStreamUri function reveals RTSP URIs embedding hardcoded credentials, which can be used by attackers to bypass authentication and access live video streams directly. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact without affecting integrity or availability. The weakness is categorized under CWE-359 (Exposure of Private Information Through Query Strings in GET Request). No patch or vendor advisory is currently available, and the device is not a cloud service.

Successful exploitation allows an unauthenticated attacker to obtain direct access to live video streams from affected IP cameras, compromising the confidentiality of video data. There is no impact on integrity or availability reported. This exposure could lead to privacy violations or unauthorized surveillance.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting network access to the affected cameras, such as isolating them on a separate VLAN or using firewall rules to limit exposure. Monitoring for unusual access patterns may help detect exploitation attempts. Do not rely on the device's default security controls given the hardcoded credentials exposure.