CVE-2025-65856: Authentication Bypass in Xiongmai XM530 IP Cameras

Overview: Critical Authentication Bypass in Xiongmai XM530 IP Cameras

Runtime Rebel is issuing an advisory regarding CVE-2025-65856, a critical authentication bypass vulnerability affecting specific firmware versions of Hangzhou Xiongmai Technology Co., Ltd XM530 IP Cameras. This vulnerability, with a CVSS v3.1 score of 9.8 (CRITICAL), allows unauthenticated remote attackers to gain unauthorized access to sensitive device information, including live video streams, without requiring any credentials. The vulnerability stems from a failure in the ONVIF implementation to enforce authentication on 31 critical endpoints, a fundamental flaw classified as CWE-306 (Missing Authentication for Critical Function). This exposure primarily impacts devices within commercial facilities globally, as noted by CISA.

The implications of this vulnerability are significant. Unauthorized access to surveillance feeds can compromise privacy, facilitate espionage, or aid in physical security breaches. While CISA has reported the existence of a public Proof of Concept (PoC), no known public exploitation specifically targeting this vulnerability has been reported to them at this time. However, the presence of a PoC increases the immediate risk to affected organizations.

Technical Details: CVE-2025-65856 Authentication Bypass in Xiongmai XM530 IP Cameras

The specific affected product is the Hangzhou Xiongmai Technology Co., Ltd IP Camera XM530V200_X6-WEQ_8M firmware, version V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06. The core issue lies within the camera’s ONVIF implementation, which neglects to validate user authentication for a significant number of its critical functions. This oversight enables attackers to directly interact with these unauthenticated endpoints, bypassing the intended security controls and gaining access to sensitive data streams that should otherwise be protected.

This flaw represents a severe breakdown in the security architecture, as it allows for a complete circumvention of the primary access control mechanism. Unlike vulnerabilities requiring complex chained exploits or user interaction, this authentication bypass can be triggered remotely by an unauthenticated attacker. The immediate consequence is the unauthorized exposure of live video feeds and other device information, which can have cascading security effects depending on the deployment context of the IP cameras.

It is critical to note that Hangzhou Xiongmai Technology Co., Ltd has not yet responded to requests from CISA regarding mitigation efforts for this vulnerability. This lack of vendor support places the onus on affected organizations to implement robust defensive measures to mitigate XM530 IP camera vulnerabilities and secure their deployments.

Actionable Recommendations and Mitigations

Given the critical nature of CVE-2025-65856 and the absence of a vendor-supplied patch, organizations must act decisively to secure their Xiongmai XM530 IP cameras. The primary strategy should focus on minimizing exposure and implementing defense-in-depth principles.

To effectively secure Xiongmai IP camera ONVIF endpoints and protect against this critical vulnerability, Runtime Rebel recommends the following actions:

• Minimize Network Exposure: Ensure that all control system devices and IP cameras are not directly accessible from the public internet. This is the most crucial step to prevent remote exploitation.
• Network Segmentation: Isolate control system networks and remote devices, including IP cameras, behind firewalls and segment them from enterprise or business networks. This limits the blast radius should a compromise occur.
• Secure Remote Access: When remote access is absolutely necessary, utilize secure methods such as Virtual Private Networks (VPNs). Regularly update VPNs to the latest versions and recognize that a VPN’s security is contingent on the security of its connected devices and strong authentication.
• Contact Vendor Support: Although CISA reports a lack of response, users of affected XM530 IP cameras are encouraged to contact Xiongmai Technology customer support directly for any potential updates or guidance (https://www.xiongmaitech.com/en/index.php/about/contact/42).
• Implement Defense-in-Depth: Review and enhance overall cybersecurity posture for Industrial Control Systems (ICS) assets. This includes strong network access controls, continuous monitoring, and security awareness training.
• Be Wary of Social Engineering: While not directly related to this vulnerability, CISA consistently advises users to protect against social engineering attacks, including phishing. Do not click web links or open attachments in unsolicited email messages, as these remain common initial access TTPs for threat actors.
• Perform Risk Assessment: Organizations should conduct a thorough impact analysis and risk assessment before deploying any defensive measures to understand potential operational impacts.

Organizations observing any suspected malicious activity related to their IP camera infrastructure should follow internal procedures and report findings to CISA for further analysis and correlation.