CISA Warns: Critical Survision LPR Camera Flaw (CVE-2025-12108, CVSS 9.8) Allows Unauthenticated Takeover

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning about a critical vulnerability affecting all versions of Survision License Plate Recognition (LPR) cameras, which could allow unauthenticated attackers to gain full access to affected systems.

According to CISA’s advisory, “Successful exploitation of this vulnerability could allow an attacker to fully access the system without requiring authentication.”

The vulnerability, tracked as CVE-2025-12108, carries a CVSS v3.1 base score of 9.8, indicating critical severity. CISA explains that the flaw stems from a lack of password enforcement in Survision’s configuration wizard, effectively allowing unauthenticated access to key system settings.

“The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check,” the agency wrote in its bulletin.

This type of vulnerability falls under CWE-306: Missing Authentication for Critical Function, a class of security weaknesses that occurs when a product does not verify the identity of users before granting access to sensitive capabilities.

All Survision LPR Camera systems are affected, regardless of model or firmware generation. These network-connected surveillance cameras are commonly deployed by municipalities, transportation agencies, and parking management operators for automatic license plate recognition (ALPR) and vehicle monitoring, raising serious concerns about potential misuse or system manipulation if left unsecured.

While the agency noted that “no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time,” it urges all users to apply mitigations immediately.

Survision has released firmware version v3.5, which introduces a new login/password authentication mechanism designed to protect configuration access.

The vendor also recommends that administrators define users and roles with minimal privileges and enforce client certificate authentication where feasible.

For installations that cannot be immediately upgraded, CISA advises activating existing security measures in older firmware versions: “On previous versions (inferior to 3.5), Survision recommends activating the ‘lock’ password in the security parameters and, where possible, enforce client certificate authentication.”

Related Posts:

• Account Takeover Vulnerability Found in Better Auth Library
• Critical Auth Bypass (CVE-2025-61928) in Better Auth Allows Hackers to Steal User API Keys
• Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows
• HashiCorp Patches Vault Flaws: AWS Auth Bypass and Unauthenticated JSON DoS
• Researcher releases PHP RCE vulnerability CVE 2022-31626 PoC