Cyber Resilience

CVE-2025-65856

CriticalPublic PoC

Published: 22 December 2025

Published
22 December 2025
Modified
05 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0085 53.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65856 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Xiongmaitech Xm530V200 X6-Weq 8M Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-65856 is an authentication bypass vulnerability in Xiongmai XM530 IP cameras running firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The flaw arises from the ONVIF implementation's failure to enforce authentication on 31 critical endpoints, enabling unauthenticated remote attackers to access sensitive device information and live video streams. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).

Unauthenticated remote attackers with network access to affected cameras can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows direct unauthorized access to sensitive device data and live video streams, potentially exposing private surveillance footage and device configurations.

Advisories and further details on mitigation, including potential patches, are documented in the following references: http://hangzhou.com, http://ip.com, and https://luismirandaacebedo.github.io/CVE-2025-65856/.

EU & UK References

Vulnerability details

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video…

more

stream access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing IP camera's ONVIF endpoints, directly enabling exploitation of a public-facing application for unauthorized access to sensitive data and video streams.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4640Shared CWE-306
CVE-2026-24728Shared CWE-306
CVE-2026-22788Shared CWE-306
CVE-2025-54816Shared CWE-306
CVE-2026-39393Shared CWE-306
CVE-2026-24177Shared CWE-306
CVE-2026-31882Shared CWE-306
CVE-2026-35523Shared CWE-306
CVE-2026-24789Shared CWE-306
CVE-2026-26944Shared CWE-306

Affected Assets

xiongmaitech
xm530v200 x6-weq 8m firmware
5.00.r02.000807d8.10010.346624.s.onvif_21.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, authorizing, and monitoring actions permitted without identification or authentication, preventing exposure of the 31 critical ONVIF endpoints lacking enforcement.

prevent

Mandates enforcement of approved access authorizations for system resources, directly countering the authentication bypass on sensitive device information and video streams.

prevent

Requires unique identification and authentication for non-organizational users, mitigating unauthenticated remote attacker access to the vulnerable IP camera endpoints.

References