Unpatched and Exposed: Public PoC Released for Critical 9.8 CVSS Xiongmai IP Camera Flaw

In a disturbing development for IoT security, a critical unpatch vulnerability has been found in Hangzhou Xiongmai Technology IP cameras, leaving thousands of devices worldwide vulnerable to total compromise. The flaw, designated as CVE-2025-65856, carries a CVSS score of 9.8, signaling a catastrophic risk level for both residential and enterprise users.

The full technical details and Proof-of-Concept (PoC) exploit code are now circulating publicly, while the manufacturer has yet to provide a patch.

The vulnerability is an Authentication Bypass rooted in a flawed implementation of the ONVIF (Open Network Video Interface Forum) protocol. Specifically, the device firmware fails to enforce WS-Security authentication across 31 critical endpoints that, by industry standards, should require valid credentials.

Because there is no validation of security headers, an unauthenticated remote attacker can send simple SOAP requests to common ports like 80, 8000, 8080, or 8899 and gain immediate control.

The scope of the exposure is total. By bypassing authentication, an attacker can:

• Access Live Feeds: View real-time video and audio streams without the owner’s knowledge.
• Harvest Credentials: Enumerate user accounts and extract RTSP credentials (linked to the secondary flaw CVE-2025-65857).
• Physical Manipulation: Control Pan-Tilt-Zoom (PTZ) functions or manipulate relay outputs to trigger or disable physical alarm systems.
• Network Reconnaissance: Obtain complete network and device configurations to launch further attacks within a local network.

“The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access,” CISA warns.

The vulnerability affects XM530 IP cameras running firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06. Despite the severity of the situation, the vendor has not responded to mitigation requests from CISA.

With thousands of these devices currently indexed on search engines like Shodan, the lack of an official patch creates a “sitting duck” scenario for anyone with an internet-exposed camera.

Given the public disclosure of the PoC and the lack of a manufacturer fix, users must take immediate defensive action:

• Isolate the Device: Ensure your IP camera is not directly reachable from the public internet.
• Use a VPN: Only access your camera through a secure VPN or an encrypted gateway that requires its own robust authentication.
• Monitor Traffic: Watch for unusual outbound connections or unauthorized access attempts on ports 80, 8000, 8080, and 8899.