CVE-2025-66050
Published: 09 January 2026
Summary
CVE-2025-66050 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Vivotek Ip7137 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits use of end-of-life Vivotek IP7137 cameras with unsupported firmware vulnerable to default administrator authentication bypass.
Requires changing default authenticators prior to first use, directly mitigating the empty password allowing unauthenticated administrator login.
Limits and documents permitted actions without identification or authentication, preventing exposure of administrator functions without credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default/no-password admin account on network-exposed camera admin interface directly enables unauthenticated remote access and full device control.
NVD Description
Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a…
more
need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
Deeper analysisAI
CVE-2025-66050 is a critical authentication bypass vulnerability affecting the Vivotek IP7137 IP camera running firmware version 0200a. By default, the device does not require a password for administrator login, despite the option to configure one existing. Users are not prompted or informed about the need to set a password, leaving the admin interface exposed. The issue is tracked under CWE-1393 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). All firmware versions may be vulnerable, as the vendor has not responded to the CNA.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. An unauthenticated adversary can log in directly as an administrator, gaining full control over the camera. This allows high-impact compromise of confidentiality, integrity, and availability, such as viewing live feeds, modifying configurations, or disrupting device operations.
The referenced advisory at https://cert.pl/posts/2026/01/CVE-2025-66049 notes that the vendor has not replied to coordination efforts. The product has reached end-of-life, so no patches or fixes are expected to be released.
Security practitioners should isolate or decommission affected Vivotek IP7137 cameras, as no mitigations are available from the vendor. Network segmentation and monitoring for unauthorized admin access are recommended interim controls.
Details
- CWE(s)