A critical authentication bypass vulnerability has been discovered in multiple Xiongmai IP camera products. This flaw allows unauthenticated remote attackers to bypass security measures and gain direct access to sensitive device information and live video streams, posing a significant risk to privacy and physical security.

The vulnerability exists within the device's ONVIF (Open Network Video Interface Forum) implementation. The firmware fails to enforce proper authentication checks on at least 31 critical API endpoints. A remote, unauthenticated attacker can send specially crafted requests to these endpoints over the network to retrieve sensitive data, such as device configuration, network details, and, most critically, access the RTSP (Real-Time Streaming Protocol) feed to view live video.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to severe consequences, including a complete loss of confidentiality and a major breach of privacy. Attackers could monitor live video feeds for corporate espionage, surveillance of private spaces, or to facilitate physical intrusions. The unauthorized access to device information could also be used as a foothold to launch further attacks against the internal network. A successful exploit would likely result in significant reputational damage and potential regulatory fines.

Immediate Action:

• Identify all vulnerable Xiongmai devices on the network.
• Immediately apply the latest firmware updates provided by the vendor to patch the authentication bypass vulnerability.
• If a patch is not yet available, restrict network access to the devices or take them offline.

Proactive Monitoring:

• Monitor network traffic for direct, unauthorized connection attempts to the ONVIF service ports (typically TCP port 80 or other HTTP/SOAP ports) on affected cameras.
• Review firewall and web server logs for suspicious requests to ONVIF endpoints originating from untrusted IP addresses.
• Enable and centralize device access logs, if supported, and monitor for any anomalous activity.

Compensating Controls:

• If patching is not immediately possible, implement network segmentation to isolate IP cameras on a separate VLAN.
• Apply strict firewall rules to allow access to the cameras only from trusted IP addresses, such as a dedicated video management server or security operations center.
• Disable the ONVIF service on the cameras if it is not required for operational use.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the severe impact of a potential breach, we recommend that organizations treat this vulnerability with the highest priority. The immediate patching of all affected Xiongmai IP cameras is imperative. While this CVE is not currently on the CISA KEV list, its high severity makes it a likely candidate for future inclusion. Proactive implementation of compensating controls, particularly network segmentation for all IoT devices, is strongly advised to mitigate this and future threats.