Critical CCTV Flaw (CVE-2025-13607) Risks Video Feed Hijack & Credential Theft via Missing Authentication
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-severity alert regarding a critical flaw affecting networked CCTV cameras, warning that malicious actors could easily hijack video feeds and steal administrative credentials. The vulnerability, tracked as CVE-2025-13607, carries a critical CVSS score of 9.4, signaling an urgent risk for organizations utilizing affected surveillance hardware.
The vulnerability is categorized as “Missing Authentication for Critical Function.” In simple terms, the cameras essentially leave the front door unlocked for anyone who knows where to look.
According to the advisory, the flaw allows an attacker to bypass security checks entirely. “A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL”.
This creates a worst-case scenario for physical security teams: remote attackers could not only view private feeds but potentially harvest the credentials needed to pivot further into the network. “Successful exploitation of this vulnerability could result in information disclosure including capture of camera account credentials”.
The vulnerability was reported to CISA by researcher Souvik Kandar. It explicitly affects the D-Link DCS-F5614-L1 camera (versions v1.03.038 and prior), a model primarily associated with D-Link India.
D-Link has moved quickly to plug the hole, releasing firmware version V1.03.039a0340.02i46061.T078.2. Administrators managing these devices are urged to apply the update immediately.
However, the threat landscape remains murky for users of other brands. The CISA advisory indicates that the vulnerability may extend to equipment from Securus CCTV and Sparsh Securitech, but communication lines have gone cold.
“Securus CCTV and Sparsh Securitech did not respond to CISA’s requests for coordination,” the report states. As a result, specific affected models for these vendors remain unavailable, leaving users in the dark.
If you operate D-Link DCS-F5614-L1 cameras, download the update immediately. For users of Securus or Sparsh hardware, CISA advises taking a proactive approach since official patches are not yet confirmed. “Users of cameras from these vendors are encouraged to reach out to their respective customer service representatives to see if their specific model of camera is affected”.
Donate