CVE-2026-51597 in MIPC252W IP camerainfo

Summary

by MITRE • 07/09/2026

MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The MERCURY MIPC252W IP camera running firmware version 1.0.5 Build 230306 Rel.79931n presents a critical authentication vulnerability through its implementation of RTSP Digest authentication without proper nonce expiration mechanisms. This flaw resides in the camera's security architecture where the system fails to enforce time-based expiration of authentication nonces, creating a persistent credential reuse vulnerability that significantly weakens the overall security posture of the device.

The technical implementation error stems from the camera's failure to properly manage authentication state through the digest authentication framework as defined in RFC 2617. When a legitimate user establishes an RTSP connection, the camera generates a nonce value that should expire after a predetermined time period to prevent replay attacks. However, in this vulnerable implementation, the nonce remains valid indefinitely, allowing attackers to capture a single successful authentication exchange and reuse those credentials across multiple connections without requiring knowledge of the actual password or username.

This vulnerability directly maps to CWE-310, which describes weaknesses related to cryptographic implementations and specifically addresses issues with authentication mechanisms that fail to properly implement nonce expiration. The attack vector is particularly concerning as it requires only adjacent network access, making it exploitable from within the same local network segment where the device operates. An attacker positioned within the network can capture RTSP authentication packets using standard network sniffing tools, then leverage these captured credentials to establish unauthorized video streams without any prior knowledge of the legitimate user's credentials.

The operational impact of this vulnerability extends beyond simple unauthorized access to include potential privacy violations and security breaches. An attacker gaining access to the live video stream could potentially monitor activities in real-time, capture sensitive footage, or even manipulate the camera's functionality through additional exploitation techniques. The persistent nature of the vulnerability means that once an attacker successfully captures a valid nonce-response pair, they can maintain access indefinitely until the device is rebooted or the authentication cache is cleared.

From a cybersecurity perspective, this vulnerability aligns with ATT&CK technique T1071.004 which covers application layer protocol usage for command and control communications. The compromised camera becomes a potential pivot point within the network for further attacks, as attackers can leverage the authenticated session to explore other network resources or establish persistent access. The attack requires minimal technical expertise beyond basic network reconnaissance and packet capture capabilities.

The recommended mitigations include implementing proper nonce expiration mechanisms within the RTSP authentication framework, ensuring that generated nonces have a limited lifetime typically ranging from minutes to hours depending on security requirements. Network segmentation should be implemented to isolate IP cameras from general network traffic, and regular firmware updates should be deployed to address known vulnerabilities. Additionally, organizations should consider implementing network access control measures such as 802.1X authentication or firewall rules that restrict RTSP traffic to authorized hosts only, effectively reducing the attack surface for this particular vulnerability.

Responsible

MITRE

Reservation

06/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!