Cyber Resilience

CVE-2025-66049

High

Published: 09 January 2026

Published
09 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-66049 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vivotek Ip7137 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-41 (Port and I/O Device Access).

Deeper analysis

CVE-2025-66049 is an information disclosure vulnerability affecting the Vivotek IP7137 IP camera running firmware version 0200a. The issue stems from a lack of authentication in the RTSP protocol service listening on TCP port 8554, enabling unauthorized access to live camera footage. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.

Any attacker with network access to the affected camera can exploit this vulnerability by connecting to port 8554 via RTSP, bypassing authentication entirely to stream and view real-time video feeds. No user interaction or special privileges are needed, making it remotely exploitable over the network. Successful exploitation compromises user privacy and physical security by exposing potentially sensitive surveillance footage.

The sole advisory reference at https://cert.pl/posts/2026/01/CVE-2025-66049 notes that the vendor has not responded to the CNA, and all firmware versions may be affected. As the IP7137 has reached end-of-life, no patches or fixes are expected, leaving mitigation reliant on network segmentation, firewall rules blocking port 8554, or device replacement.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view…

more

the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
Why these techniques?

Missing authentication on public RTSP service directly enables remote exploitation of a network-exposed device (T1190) to capture live video feeds (T1125).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66052Same product: Vivotek Ip7137
CVE-2025-66050Same product: Vivotek Ip7137
CVE-2017-20213Shared CWE-306
CVE-2019-25236Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306

Affected Assets

vivotek
ip7137 firmware
0200a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-7 implements boundary protection via firewalls or network segmentation to block unauthorized external access to the unauthenticated RTSP service on port 8554.

prevent

AC-14 identifies, authorizes, and reviews permitted actions without identification or authentication, directly prohibiting unauthenticated access to live camera footage via RTSP.

prevent

SC-41 monitors and restricts communications at the port level to block traffic to TCP port 8554 exploited for information disclosure.

References