CVE-2025-14749 – This vulnerability allows unauthorized remote c... (How to Fix)

Q: What is the severity of CVE-2025-14749?

CVE-2025-14749 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows unauthorized remote control of PTZ (Pan-Tilt-Zoom) cameras on the Ningyuanda TC155 device via the ONVIF interface. Attackers on the local network can manipulate camera positioning and functions without authentication. Only users of Ningyuanda TC155 version 57.0.2.0 are affected.

📋 TL;DR

This vulnerability allows unauthorized remote control of PTZ (Pan-Tilt-Zoom) cameras on the Ningyuanda TC155 device via the ONVIF interface. Attackers on the local network can manipulate camera positioning and functions without authentication. Only users of Ningyuanda TC155 version 57.0.2.0 are affected.

💻 Affected Systems

Products:

Ningyuanda TC155

Versions: 57.0.2.0

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with ONVIF PTZ Control Interface enabled (typically default).

📦 What is this software?

Tc155 Firmware by Shenzhenningyuandatechnology

View all CVEs affecting Tc155 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of surveillance cameras, potentially disabling monitoring, pointing cameras away from sensitive areas, or causing physical damage through excessive movement.

🟠

Likely Case

Unauthorized camera manipulation leading to surveillance blind spots, privacy violations, or disruption of security monitoring.

🟢

If Mitigated

Limited to network reconnaissance if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: LOW (requires local network access per description)

🏢 Internal Only: HIGH (exploit is publicly available and works on local network)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub, requires local network access only.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None (vendor did not respond)

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacement.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate TC155 devices on separate VLAN with strict access controls

Disable ONVIF Interface

all

Turn off ONVIF PTZ Control Interface if not required

🧯 If You Can't Patch

Implement strict network ACLs to block all access to /onvif/device_service endpoint
Monitor network traffic for unauthorized ONVIF protocol requests

🔍 How to Verify

Check if Vulnerable:

Test if unauthenticated ONVIF PTZ commands work via local network to /onvif/device_service endpoint

Check Version:

Check device web interface or documentation for firmware version

Verify Fix Applied:

Verify that ONVIF PTZ commands now require authentication or are blocked

📡 Detection & Monitoring

Log Indicators:

Unauthorized ONVIF protocol requests
PTZ control commands from unexpected IPs

Network Indicators:

ONVIF SOAP requests to /onvif/device_service without authentication

SIEM Query:

source_ip NOT IN authorized_list AND dest_port=80 AND uri_path="/onvif/device_service"

📊 Metadata

CVE ID: CVE-2025-14749

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: December 16, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-PTZ-Remote-Control.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.336522 Permissions Required,VDB Entry
https://vuldb.com/?id.336522 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.707198 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14749, you might also want to check these: