## Authentication Bypass Exposes Xiongmai IP Cameras Security researchers have uncovered a significant vulnerability affecting **Hangzhou Xiongmai Technology Co., Ltd** XM530 IP cameras. The vulnerability, designated as **CVE-2025-65856**, could allow attackers to bypass authentication and gain remote access to sensitive information and live video feeds from the affected devices. ### Vulnerability Details The vulnerability resides in the **ONVIF** implementation of the camera's firmware (V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06). A failure to enforce authentication on 31 critical endpoints allows direct, unauthorized access to video streams. This means that an attacker could potentially view live video without any authentication. The Common Weakness Enumeration (**CWE**) associated with this vulnerability is **CWE-306**, which stands for 'Missing Authentication for Critical Function'. ### Affected Products * **Vendor:** Hangzhou Xiongmai Technology Co., Ltd * **Product:** Hangzhou Xiongmai Technology Co., Ltd IP Camera XM530V200_X6-WEQ_8M * **Firmware Version:** V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 * **Status:** Known Affected ### Impact Successful exploitation of this vulnerability could grant an attacker complete remote access to the device, enabling them to: * View live video streams. * Access sensitive device information. * Potentially manipulate device settings (depending on the extent of the exposed endpoints). ### Mitigation **CISA** (Cybersecurity and Infrastructure Security Agency) recommends the following measures to mitigate the risk of exploitation: * Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (**VPNs**), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. * Implement recommended cybersecurity strategies for proactive defense of ICS assets. * Avoid clicking web links or opening attachments in unsolicited email messages. ### Acknowledgements **CISA** acknowledged that a public Proof of Concept (**PoC**) was discovered and authored by Luis Miranda Acebedo, who reported it to **MITRE**. ### References * [CISA Advisory](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-05.json) * [CVE-2025-65856](https://www.cve.org/CVERecord?id=CVE-2025-65856)