CVE-2026-35903
Published: 27 April 2026
Summary
CVE-2026-35903 is a critical-severity Improper Authentication (CWE-287) vulnerability in Mercurycom Mipc252W Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 mandates protection of session authenticators against replay and reuse, directly preventing attackers from issuing unauthorized RTSP commands by reusing nonce and session identifiers without a valid Digest response.
IA-11 requires re-authentication for subsequent non-privileged or privileged actions after defined circumstances, ensuring verification of the Digest response for RTSP methods like SETUP, PLAY, and TEARDOWN within the same session.
AC-3 enforces approved authorizations for all logical access, requiring the RTSP service to validate authentication parameters on every request to block unauthorized session reuse.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in the publicly accessible RTSP service of an IP camera, directly enabling remote exploitation of a public-facing application to gain unauthorized control over video streams.
NVD Description
MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within…
more
the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response.
Deeper analysisAI
CVE-2026-35903 is an improper authentication vulnerability (CWE-287) affecting the RTSP service in the MERCURY MIPC252W IP camera running firmware version 1.0.5 Build 230306 Rel.79931n. The issue arises because, following a successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. This flaw enables RTSP methods such as SETUP, PLAY, and TEARDOWN to be processed even if the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier match those from a previously authenticated session. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Attackers with network access to the device can exploit this vulnerability by reusing session parameters (nonce and session ID) captured from a legitimate authenticated RTSP session. No privileges or user interaction are required, allowing remote exploitation without computing a valid Digest response. Successful exploitation grants unauthorized control over RTSP streams, enabling attackers to manipulate video playback, establish streams, or terminate sessions, potentially compromising confidentiality, integrity, and availability of the camera's video feed.
References providing additional details on the vulnerability, including potential proof-of-concept information, are available in GitHub repositories at https://github.com/izxnfh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md. No specific patch or mitigation guidance is detailed in the provided CVE information.
Details
- CWE(s)