70mai Dashcam M300 Improper Authentication Vulnerability in RTSP Live Video Stream Endpoint
Vulnerability
A vulnerability allowing improper authentication has been identified in the 70mai M300 dashcam, affecting versions through 20250611. The issue arises in the RTSP live video stream endpoint, specifically the /livestream/12 file. This vulnerability allows unauthorized access to the live stream without the dashcam owner's knowledge. The exploitation can be carried out by a remote attacker within the local network, without any form of authentication.
Impact
Exploitation of this vulnerability allows for unauthorized access to the live video stream from the dashcam, potentially leading to privacy violations by enabling viewing of the livestream without the owner's knowledge.
Reproduction
To reproduce this vulnerability, connect to the same local network as the 70mai M300 dashcam. Once connected, access the RTSP live video stream through the endpoint /livestream/12 on port 554. This can be done using any RTSP-compatible media player or tool, such as VLC Media Player, without the need for authentication.
Remediation
It is recommended to implement proper firewall rules to block unauthorized access to the RTSP stream.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.