CVE-2025-66049 identifies a critical security vulnerability in the Vivotek IP7137 IP camera, specifically firmware version 0200a, where the RTSP (Real Time Streaming Protocol) service on port 8554 does not require any authentication to access live video streams. This represents a classic case of CWE-306, Missing Authentication for a Critical Function, allowing any network-connected attacker to view live camera footage without credentials. The vulnerability compromises confidentiality by exposing sensitive surveillance data, potentially enabling espionage, privacy violations, or reconnaissance for further attacks. The vendor has not responded to the CNA and the product is end-of-life, meaning no patches or firmware updates will be issued to remediate this flaw. The CVSS 4.0 base score of 8.7 reflects a network attack vector with low complexity, no privileges or user interaction required, and a high impact on confidentiality. Although no known exploits have been reported in the wild, the simplicity of exploitation and the critical nature of the exposed data make this a significant threat. The vulnerability affects all devices running the specified firmware, and possibly other versions, given the lack of vendor response. Organizations using these cameras must assume exposure and take immediate compensating controls to prevent unauthorized access to video feeds.

For European organizations, this vulnerability poses a substantial risk to privacy and security, especially for entities relying on Vivotek IP7137 cameras for physical security monitoring. Unauthorized access to live video streams can lead to exposure of sensitive operational environments, employee activities, or confidential information. Critical infrastructure operators, government agencies, and enterprises in sectors such as finance, healthcare, and manufacturing could face espionage, reputational damage, or regulatory penalties under GDPR due to unauthorized data disclosure. The lack of vendor support and patches increases the risk of prolonged exposure. Attackers could leverage the vulnerability for surveillance, planning physical intrusions, or launching further cyberattacks. The ease of exploitation means even low-skilled attackers with network access can compromise these devices, amplifying the threat landscape. Additionally, compromised cameras could be used as entry points into internal networks if not properly segmented.

Given the absence of vendor patches, European organizations must implement compensating controls. First, isolate the affected cameras on dedicated VLANs or network segments with strict access controls to limit exposure to trusted personnel only. Disable RTSP streaming if not essential, or restrict access to RTSP port 8554 via firewall rules to authorized IP addresses. Replace end-of-life Vivotek IP7137 cameras with supported models that enforce strong authentication and receive security updates. Employ network monitoring to detect unauthorized access attempts to the cameras. If replacement is not immediately feasible, consider deploying VPNs or encrypted tunnels for remote access to the camera feeds to add an authentication layer. Regularly audit and update network device inventories to identify and remediate vulnerable devices. Finally, raise user awareness about the risks of exposed surveillance devices and enforce strict physical security policies.