CVE-2025-65857 is a vulnerability discovered in Xiongmai XM530 IP cameras running firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The vulnerability arises from the GetStreamUri API endpoint, which returns RTSP URIs embedded with hardcoded credentials. These credentials allow any unauthenticated attacker with network access to the camera to retrieve live video streams directly, bypassing any authentication mechanisms. The flaw is classified under CWE-359 (Exposure of Sensitive Information Through an Information Leak). The CVSS v3.1 base score is 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. The vulnerability does not require authentication or user interaction, making exploitation straightforward once the device is reachable on the network. Although no public exploits are known yet, the presence of hardcoded credentials in RTSP URIs is a critical security design flaw that exposes sensitive video streams to unauthorized parties. This can lead to privacy violations, espionage, or surveillance abuse. The lack of available patches or firmware updates at the time of disclosure necessitates alternative mitigations such as network segmentation and access controls. Organizations deploying these cameras should inventory affected devices and monitor network traffic for suspicious RTSP requests. Given the widespread use of Xiongmai cameras in various sectors, this vulnerability poses a significant risk to video surveillance confidentiality.

For European organizations, the primary impact of CVE-2025-65857 is the compromise of video surveillance confidentiality. Unauthorized access to live video streams can lead to privacy breaches, exposure of sensitive operational environments, and potential intelligence gathering by malicious actors. Critical infrastructure facilities, government buildings, corporate offices, and public spaces using these cameras could be surveilled without consent, undermining security and trust. While the vulnerability does not affect system integrity or availability, the exposure of sensitive video data can facilitate further attacks or espionage. The ease of exploitation over the network means attackers can remotely access streams if devices are internet-facing or accessible via poorly secured internal networks. This risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized video access can lead to compliance violations and reputational damage. Additionally, the lack of patches increases the window of exposure, requiring organizations to implement compensating controls promptly.

1. Immediately identify and inventory all Xiongmai XM530 IP cameras running the vulnerable firmware version within the network. 2. Restrict network access to these cameras by implementing strict firewall rules and network segmentation, ensuring that only authorized management systems can communicate with them. 3. Disable or restrict RTSP access where possible, or require VPN or secure tunnels for remote access to video streams. 4. Monitor network traffic for unusual RTSP requests or connections that could indicate exploitation attempts. 5. Engage with the vendor or authorized support channels to obtain firmware updates or patches as soon as they become available. 6. If firmware updates are unavailable, consider replacing vulnerable devices with models that do not have hardcoded credential issues. 7. Implement strong physical security controls to prevent unauthorized local access to the cameras. 8. Educate security teams about this vulnerability to ensure rapid detection and response to any suspicious activity related to these devices.