CVE-2025-66049 in IP7137
Summary
by MITRE • 01/09/2026
Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2026
The vulnerability identified as CVE-2025-66049 affects the Vivotek IP7137 IP camera model with firmware version 0200a, representing a critical information disclosure flaw that undermines fundamental security assumptions in networked video surveillance systems. This vulnerability specifically targets the Real-Time Streaming Protocol implementation within the camera's network services, where the RTSP server on port 8554 fails to enforce proper authentication mechanisms. The flaw allows any network-connected attacker to gain unauthorized access to live video feeds without requiring valid credentials, creating a severe privacy and security risk for organizations relying on this surveillance equipment. The issue stems from inadequate access control implementation within the camera's streaming service, where the system does not properly validate client authentication before granting access to sensitive video streams.
The technical exploitation of this vulnerability occurs through standard network reconnaissance and connection establishment to the RTSP service port 8554, where the camera's streaming server responds to unauthenticated requests with live video data. This represents a classic failure in secure by design principles, where the camera's network services assume that legitimate access should be granted without proper verification of user credentials or device authorization. The vulnerability manifests as a lack of authentication enforcement in the RTSP server implementation, which is classified under CWE-287 - Improper Authentication, and specifically relates to CWE-306 - Missing Authentication for Critical Function. The camera's firmware appears to have been configured with default settings that disable authentication for streaming services, creating an inherently insecure configuration that persists across all firmware versions and affects the entire product line.
From an operational perspective, this vulnerability creates significant risk for organizations deploying Vivotek IP7137 cameras, particularly in environments where physical security and privacy protection are paramount. Unauthorized access to live video feeds can result in privacy violations, corporate espionage, and potential criminal activity exploitation, as attackers can observe activities in real-time without detection. The impact extends beyond simple privacy concerns to include potential physical security breaches, where surveillance footage could reveal sensitive operational details, employee activities, or building layouts to unauthorized parties. Network administrators face the challenge of securing legacy equipment that no longer receives vendor support, creating a gap in security maintenance where known vulnerabilities remain unaddressed due to the end-of-life status of the product.
The vendor's lack of response to the coordinated vulnerability notification represents a critical failure in the security ecosystem, where manufacturers of security equipment do not provide remediation for known vulnerabilities in end-of-life products. This creates a dangerous situation where organizations must either accept the security risk of continued operation or invest in costly replacement of legacy equipment. The absence of a fix for this vulnerability, combined with the end-of-life status of the IP7137 model, leaves organizations in a difficult position where they must weigh the operational necessity of the surveillance system against the security risks it presents. According to ATT&CK framework, this vulnerability maps to T1046 - Network Service Scanning and T1566 - Phishing, as attackers can leverage this weakness to gain access to sensitive visual information through network reconnaissance and automated scanning techniques. Organizations should implement network segmentation to isolate affected cameras, disable unnecessary RTSP services, and consider immediate replacement of these devices with supported models that provide proper authentication mechanisms and ongoing security updates. The vulnerability also highlights the importance of network monitoring and intrusion detection systems that can identify unauthorized access attempts to streaming services, as the default configuration of the camera creates an easily exploitable entry point for malicious actors.