Ddos 
Owners of legacy Vivotek IP7137 surveillance cameras have been dealt a harsh reality check: their devices are riddled with critical security holes, and no patch is coming to save them. CERT Polska has disclosed a cluster of four vulnerabilities ranging from unauthorized video streaming to remote command injection. Because the product has reached its “End-Of-Life” (EOL) phase, the vendor is not expected to release a fix, leaving these devices permanently vulnerable to exploitation.
The most visceral threat to user privacy is CVE-2025-66049, a high-severity flaw (CVSS 8.7) that turns the camera into a public broadcaster. According to the report, the camera “is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication”.
This oversight allows any unauthorized user with network access to simply tune in and view the feed, “potentially compromising user privacy and security”.
Compounding the issue is CVE-2025-66050, a critical vulnerability with a CVSS score of 9.3. The report notes that by default, the camera “does not require to provide any password when logging in as an administrator”.
While users can set a password, the system fails to prompt them to do so, leaving the administrative interface wide open. “A user is not informed about such a need,” creating a false sense of security for anyone plugging the device in for the first time.
Once an attacker has administrative access—which is trivial due to the missing password requirement—they can leverage CVE-2025-66052 (CVSS 8.6) to execute arbitrary commands. This command injection flaw exists in the /cgi-bin/admin/setparam.cgi endpoint, where the system_ntplt parameter is “not sanitized properly”.
Additionally, the camera suffers from a path traversal vulnerability (CVE-2025-66051, CVSS 6.9), which allows authenticated attackers to “access resources beyond webroot directory using a direct HTTP request”.
The report states that “the vendor has not replied to the CNA” regarding these disclosures. With the product officially End-Of-Life, these vulnerabilities effectively become “forever days”—bugs that will persist for as long as the hardware remains in operation.
“Possibly all firmware versions are affected,” the advisory warns. Users are strongly advised to decommission these cameras or isolate them entirely from untrusted networks.
Related Posts:
- Critical Unpatched Flaw: Vivotek EOL IP Cameras Exposed to Unauthenticated RCE via Command Injection
- Node.js to Issue CVE for End-of-Life Versions
- Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
- Oracle Discloses Second Hack (Client Login Data)
- NVIDIA Extends Windows 10 Driver Support to October 2026, Offering Gamers a One-Year Reprieve
Donate