CVE-2025-65856

CriticalPublic PoC

Published: 22 December 2025

Published

22 December 2025

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0063 70.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video…

stream access.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly requires identifying, authorizing, and monitoring actions permitted without identification or authentication, preventing exposure of the 31 critical ONVIF endpoints lacking enforcement.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved access authorizations for system resources, directly countering the authentication bypass on sensitive device information and video streams.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires unique identification and authentication for non-organizational users, mitigating unauthenticated remote attacker access to the vulnerable IP camera endpoints.

Security SummaryAI

CVE-2025-65856 is an authentication bypass vulnerability in Xiongmai XM530 IP cameras running firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The flaw arises from the ONVIF implementation's failure to enforce authentication on 31 critical endpoints, enabling unauthenticated remote attackers to access sensitive device information and live video streams. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).

Unauthenticated remote attackers with network access to affected cameras can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows direct unauthorized access to sensitive device data and live video streams, potentially exposing private surveillance footage and device configurations.

Advisories and further details on mitigation, including potential patches, are documented in the following references: http://hangzhou.com, http://ip.com, and https://luismirandaacebedo.github.io/CVE-2025-65856/.

Details

CWE(s): CWE-306

Affected Products

xiongmaitech

xm530v200 x6-weq 8m firmware

5.00.r02.000807d8.10010.346624.s.onvif_21.06

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing IP camera's ONVIF endpoints, directly enabling exploitation of a public-facing application for unauthorized access to sensitive data and video streams.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://hangzhou.com
Not Applicable · cve@mitre.org
http://ip.com
Not Applicable · cve@mitre.org
https://luismirandaacebedo.github.io/CVE-2025-65856/
Exploit, Third Party Advisory · cve@mitre.org