Xiongmai XM530 IP Cameras RTSP Credential Exposure Vulnerability

A vulnerability exists in Xiongmai XM530 IP cameras running firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The issue arises from the GetStreamUri ONVIF endpoint, which exposes RTSP URIs containing hardcoded credentials. This vulnerability allows unauthorized access to live video streams. The credentials are embedded in the RTSP URI format and transmitted in plaintext over HTTP, enabling direct access to the camera's video feed without any authentication.

Impact

Exploitation of this vulnerability allows an unauthenticated remote attacker to access live video and audio streams from the affected camera. The hardcoded credentials are identical across all devices, facilitating mass surveillance operations. This access violates the privacy of individuals captured by the camera, with potential legal repercussions under GDPR and other privacy regulations.

Reproduction

The vulnerability can be reproduced by sending a request to the GetStreamUri ONVIF endpoint. This request does not require authentication and can be made using tools like curl. The response will include an RTSP URI that contains the hardcoded credentials. These credentials can then be used to access the live video stream via RTSP-compatible applications such as VLC, FFplay, or FFmpeg.

Remediation

Users are advised to isolate the cameras on a VLAN with no internet access, block inbound connections to the RTSP port 554, and monitor RTSP connections for unexpected sessions. Given the vendor's poor security history, replacement of the cameras is strongly recommended. The vendor should remove hardcoded credentials, implement RTSP Digest Authentication, use session tokens with expiration, generate unique credentials per device, and apply rate limiting on RTSP connections.