Cyber Resilience

CVE-2025-66050

Critical

Published: 09 January 2026

Published
09 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 25.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66050 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Vivotek Ip7137 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-66050 is a critical authentication bypass vulnerability affecting the Vivotek IP7137 IP camera running firmware version 0200a. By default, the device does not require a password for administrator login, despite the option to configure one existing. Users are not prompted or informed about the need to set a password, leaving the admin interface exposed. The issue is tracked under CWE-1393 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). All firmware versions may be vulnerable, as the vendor has not responded to the CNA.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. An unauthenticated adversary can log in directly as an administrator, gaining full control over the camera. This allows high-impact compromise of confidentiality, integrity, and availability, such as viewing live feeds, modifying configurations, or disrupting device operations.

The referenced advisory at https://cert.pl/posts/2026/01/CVE-2025-66049 notes that the vendor has not replied to coordination efforts. The product has reached end-of-life, so no patches or fixes are expected to be released.

Security practitioners should isolate or decommission affected Vivotek IP7137 cameras, as no mitigations are available from the vendor. Network segmentation and monitoring for unauthorized admin access are recommended interim controls.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a…

more

need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Default/no-password admin account on network-exposed camera admin interface directly enables unauthenticated remote access and full device control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66049Same product: Vivotek Ip7137
CVE-2025-66052Same product: Vivotek Ip7137
CVE-2026-24429Shared CWE-1393
CVE-2025-26793Shared CWE-1393
CVE-2026-30652Same vendor: Vivotek
CVE-2026-30649Same vendor: Vivotek
CVE-2026-30650Same vendor: Vivotek
CVE-2025-2347Shared CWE-1393
CVE-2025-22938Shared CWE-1393
CVE-2024-49559Shared CWE-1393

Affected Assets

vivotek
ip7137 firmware
0200a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits use of end-of-life Vivotek IP7137 cameras with unsupported firmware vulnerable to default administrator authentication bypass.

prevent

Requires changing default authenticators prior to first use, directly mitigating the empty password allowing unauthenticated administrator login.

prevent

Limits and documents permitted actions without identification or authentication, preventing exposure of administrator functions without credentials.

References