CVE-2025-9983 is a high-severity vulnerability affecting the GALAYOU G2 camera model, specifically version 11.100001.01.28. The vulnerability is classified under CWE-306, which denotes Missing Authentication for Critical Function. GALAYOU G2 cameras stream video output using RTSP (Real Time Streaming Protocol). Although the streams are nominally protected by randomly generated credentials, these credentials are effectively non-functional because the camera does not require authentication to access the RTSP stream. Changing the default credentials has no impact on access control, meaning any unauthenticated attacker can freely access the video stream. This represents a critical security flaw as it exposes potentially sensitive video feeds without any access restrictions. The vendor has not responded to reports of this vulnerability, and no patches or mitigations have been released. Only one firmware version (11.100001.01.28) has been tested, but other versions may also be vulnerable. The CVSS v4.0 base score is 7.1, reflecting a high severity due to the ease of exploitation (no authentication or user interaction required), the impact on confidentiality (full access to video streams), and the lack of required privileges. The attack vector is adjacent network (AV:A), meaning an attacker must be on the same local network or connected via VPN or similar means. The vulnerability does not impact integrity or availability but compromises confidentiality significantly. No known exploits are currently in the wild, but the simplicity of exploitation suggests a high risk of future abuse.

For European organizations, this vulnerability poses a significant privacy and security risk. Many organizations deploy IP cameras like GALAYOU G2 for surveillance, security monitoring, and operational oversight. Unauthorized access to live video streams can lead to exposure of sensitive information, including physical security layouts, personnel movements, and confidential activities. This can facilitate espionage, stalking, or targeted attacks. In sectors such as critical infrastructure, government facilities, healthcare, and corporate environments, compromised video feeds could undermine operational security and regulatory compliance (e.g., GDPR requirements for protecting personal data). The lack of authentication also increases the risk of insider threats or attackers who gain limited network access. Since the vulnerability requires network adjacency, organizations with segmented networks or strict access controls may reduce exposure, but remote access solutions or VPNs could still be exploited. The vendor's lack of response and absence of patches further exacerbate the risk, leaving organizations to rely on compensating controls.

Given the absence of vendor patches, European organizations should implement the following specific mitigations: 1) Network Segmentation: Isolate GALAYOU G2 cameras on dedicated VLANs or subnets with strict access controls to limit who can reach the RTSP streams. 2) Access Control Lists (ACLs): Configure firewalls and network devices to restrict RTSP traffic only to authorized monitoring stations or management systems. 3) Disable RTSP if not required or replace with more secure streaming protocols if supported. 4) Use VPNs or secure tunnels with strong authentication for remote access to camera streams, ensuring that only authenticated users can reach the camera network segment. 5) Monitor network traffic for unusual RTSP access patterns or unauthorized connections. 6) Consider replacing vulnerable cameras with models from vendors that provide proper authentication and timely security updates. 7) Implement physical security controls to prevent unauthorized local network access. 8) Regularly audit camera firmware versions and configurations to detect vulnerable devices. These measures go beyond generic advice by focusing on network-level controls and operational practices to compensate for the lack of device-level authentication.