NOYAFA Xiami LF9 Pro Improper Access Control Vulnerability in RTSP Live Video Stream Endpoint
Vulnerability
A vulnerability allowing improper access control has been identified in the NOYAFA Xiami LF9 Pro dashcam, in versions prior to 20250611. This vulnerability exists in the RTSP Live Video Stream Endpoint, where an attacker can access the live video feed and download all recorded videos without any authentication. The exploitation can be performed remotely, but only within the local network.
Impact
Exploitation of this vulnerability allows for unauthorized access to the dashcam's live video stream and recorded footage, creating a risk of sensitive information disclosure.
Reproduction
To reproduce this vulnerability, connect to the same local network as the affected dashcam model. Once connected, the live stream can be accessed via RTSP on port 554. Recorded videos can be downloaded through HTTP on port 80 by requesting specific filenames, which can be obtained by registering the client and using available API calls to fetch the file list.
Remediation
It is recommended to implement proper firewall rules to block unauthorized access to the dashcam's video stream and recorded files.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.