CVE-2025-65856 – CVE-2025-65856 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2025-65856?

CVE-2025-65856 has a CVSS score of 9.8 (CRITICAL). CVE-2025-65856 is an authentication bypass vulnerability in Xiongmai XM530 IP cameras that allows unauthenticated remote attackers to access sensitive device information and live video streams without credentials. The vulnerability affects Xiongmai XM530 IP cameras running specific firmware versions due to improper authentication enforcement in the ONVIF implementation.

📋 TL;DR

CVE-2025-65856 is an authentication bypass vulnerability in Xiongmai XM530 IP cameras that allows unauthenticated remote attackers to access sensitive device information and live video streams without credentials. The vulnerability affects Xiongmai XM530 IP cameras running specific firmware versions due to improper authentication enforcement in the ONVIF implementation.

💻 Affected Systems

Products:

Xiongmai XM530 IP Camera

Versions: Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the ONVIF implementation which fails to enforce authentication on 31 critical endpoints.

📦 What is this software?

Xm530v200 X6 Weq 8m Firmware by Xiongmaitech

View all CVEs affecting Xm530v200 X6 Weq 8m Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of video surveillance systems, enabling unauthorized live monitoring of sensitive areas, potential physical security breaches, and exposure of camera configuration data.

🟠

Likely Case

Unauthorized access to live video feeds from vulnerable cameras, potentially exposing private or sensitive areas to remote attackers.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to camera management interfaces.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to the camera's ONVIF service endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor vendor website for firmware updates.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLANs with strict firewall rules preventing external access to ONVIF ports.

Access Control Lists

all

Implement IP-based access restrictions to camera management interfaces.

🧯 If You Can't Patch

Disable ONVIF protocol if not required for functionality
Implement VPN-only access to camera management interfaces

🔍 How to Verify

Check if Vulnerable:

Attempt to access ONVIF endpoints without authentication using tools like curl or ONVIF Device Manager

Check Version:

Check camera web interface or ONVIF GetSystemDateAndTime response for firmware version

Verify Fix Applied:

Test authentication requirements on previously vulnerable ONVIF endpoints

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to ONVIF endpoints
Multiple failed authentication attempts followed by successful access

Network Indicators:

Unusual traffic patterns to camera ONVIF ports from unauthorized IPs
Video stream requests without preceding authentication

SIEM Query:

source_ip NOT IN allowed_ips AND destination_port IN (80, 443, 8899) AND protocol='http' AND uri CONTAINS '/onvif/'

📊 Metadata

CVE ID: CVE-2025-65856

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 1.99% exploit probability (83.3th percentile)

Published: December 22, 2025

Last Updated: January 5, 2026

🔗 References

http://hangzhou.com Not Applicable
http://ip.com Not Applicable
https://luismirandaacebedo.github.io/CVE-2025-65856/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65856, you might also want to check these: