CVE-2025-66049
Published: 09 January 2026
Summary
CVE-2025-66049 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vivotek Ip7137 Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-41 (Port and I/O Device Access).
Deeper analysis
CVE-2025-66049 is an information disclosure vulnerability affecting the Vivotek IP7137 IP camera running firmware version 0200a. The issue stems from a lack of authentication in the RTSP protocol service listening on TCP port 8554, enabling unauthorized access to live camera footage. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.
Any attacker with network access to the affected camera can exploit this vulnerability by connecting to port 8554 via RTSP, bypassing authentication entirely to stream and view real-time video feeds. No user interaction or special privileges are needed, making it remotely exploitable over the network. Successful exploitation compromises user privacy and physical security by exposing potentially sensitive surveillance footage.
The sole advisory reference at https://cert.pl/posts/2026/01/CVE-2025-66049 notes that the vendor has not responded to the CNA, and all firmware versions may be affected. As the IP7137 has reached end-of-life, no patches or fixes are expected, leaving mitigation reliant on network segmentation, firewall rules blocking port 8554, or device replacement.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1737
- 🇵🇱 CERT-PL: cert.pl
Vulnerability details
Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view…
more
the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public RTSP service directly enables remote exploitation of a network-exposed device (T1190) to capture live video feeds (T1125).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-7 implements boundary protection via firewalls or network segmentation to block unauthorized external access to the unauthenticated RTSP service on port 8554.
AC-14 identifies, authorizes, and reviews permitted actions without identification or authentication, directly prohibiting unauthenticated access to live camera footage via RTSP.
SC-41 monitors and restricts communications at the port level to block traffic to TCP port 8554 exploited for information disclosure.