CVE-2025-66051 is a path traversal vulnerability classified under CWE-22 affecting the Vivotek IP7137 network camera, specifically firmware version 0200a. This vulnerability allows an attacker with authenticated access to the device's web interface to craft HTTP requests that traverse directories beyond the intended webroot, potentially exposing sensitive files or system resources. The vulnerability is exacerbated by CVE-2025-66050, which reveals that the administration panel password is unset by default, effectively lowering the barrier to authentication and increasing the risk of exploitation. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity, with an attack vector over the network, low attack complexity, no privileges required (due to default password), no user interaction, and high impact on confidentiality. The vendor has not responded to the CNA and the product is at end-of-life, meaning no official patches or firmware updates are expected. This leaves affected devices permanently vulnerable unless mitigated by other means. The path traversal flaw can be exploited to read arbitrary files on the device, which may include configuration files, credentials, or logs, potentially leading to further compromise or lateral movement within a network. Given the nature of IP cameras as security devices, unauthorized access could also enable attackers to manipulate video feeds or disrupt surveillance operations.

For European organizations, the impact of this vulnerability can be significant, especially in sectors relying heavily on IP surveillance such as critical infrastructure, transportation, government facilities, and corporate environments. Unauthorized access to camera files could expose sensitive configuration data or credentials, facilitating further attacks on the network. The lack of a default password increases the likelihood of unauthorized access, potentially allowing attackers to bypass authentication entirely. Compromise of surveillance devices can lead to loss of video integrity, privacy violations, and disruption of security monitoring. Since the product is end-of-life and unpatched, organizations face a persistent risk. Additionally, attackers could leverage the vulnerability to pivot into internal networks, increasing the risk of broader compromise. The medium CVSS score reflects a moderate but tangible threat, particularly when combined with the default password issue. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a critical risk for any organization still operating these devices.

Given the lack of vendor patches, European organizations should implement compensating controls to mitigate this vulnerability. First, immediately change any default or blank passwords on the administration panel to strong, unique credentials to prevent unauthorized access. If possible, disable remote access to the camera's web interface, restricting management to trusted internal networks only. Network segmentation should be employed to isolate IP cameras from critical systems and limit lateral movement opportunities. Employ firewall rules to restrict inbound and outbound traffic to and from the camera devices. Monitor network traffic and device logs for unusual access patterns or attempts to exploit path traversal. Consider replacing end-of-life Vivotek IP7137 cameras with supported models that receive security updates. If replacement is not immediately feasible, deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect path traversal attempts. Regularly audit and inventory all IP cameras to ensure no unmanaged or vulnerable devices remain in operation. Finally, educate staff responsible for device management about the risks and ensure secure configuration practices are followed.