Cyber Resilience

CVE-2026-35903

CriticalPublic PoC

Published: 27 April 2026

Published
27 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35903 is a critical-severity Improper Authentication (CWE-287) vulnerability in Mercurycom Mipc252W Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

CVE-2026-35903 is an improper authentication vulnerability (CWE-287) affecting the RTSP service in the MERCURY MIPC252W IP camera running firmware version 1.0.5 Build 230306 Rel.79931n. The issue arises because, following a successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. This flaw enables RTSP methods such as SETUP, PLAY, and TEARDOWN to be processed even if the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier match those from a previously authenticated session. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Attackers with network access to the device can exploit this vulnerability by reusing session parameters (nonce and session ID) captured from a legitimate authenticated RTSP session. No privileges or user interaction are required, allowing remote exploitation without computing a valid Digest response. Successful exploitation grants unauthorized control over RTSP streams, enabling attackers to manipulate video playback, establish streams, or terminate sessions, potentially compromising confidentiality, integrity, and availability of the camera's video feed.

References providing additional details on the vulnerability, including potential proof-of-concept information, are available in GitHub repositories at https://github.com/izxnfh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md. No specific patch or mitigation guidance is detailed in the provided CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within…

more

the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in the publicly accessible RTSP service of an IP camera, directly enabling remote exploitation of a public-facing application to gain unauthorized control over video streams.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31256Same product: Mercurycom Mipc252W
CVE-2025-50401Same vendor: Mercurycom
CVE-2025-50398Same vendor: Mercurycom
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287

Affected Assets

mercurycom
mipc252w firmware
1.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates protection of session authenticators against replay and reuse, directly preventing attackers from issuing unauthorized RTSP commands by reusing nonce and session identifiers without a valid Digest response.

prevent

IA-11 requires re-authentication for subsequent non-privileged or privileged actions after defined circumstances, ensuring verification of the Digest response for RTSP methods like SETUP, PLAY, and TEARDOWN within the same session.

prevent

AC-3 enforces approved authorizations for all logical access, requiring the RTSP service to validate authentication parameters on every request to block unauthorized session reuse.

References