Shenzhen Liandian IP Cam CVE-2025-7503 Hardcoded Credentials & Unauthenticated RTSP Exposure

Vulnerability Overview 1. CVE-2025-7503 - Description: Commercial IP cameras have the Telnet service (port 23) exposed by default. This service uses hardcoded credentials, allowing users to obtain a root shell. - Risk: - Users are unaware of the existence of the Telnet interface. - There is no prompt to change these credentials. - Telnet cannot be disabled via the mobile application. - Firmware and Software Information: - App Version: AppFHE1_V1.0.6.02020803 - Kernel Version: KerFHE1_PTZ_WIFI_V1.1.1 - Hardware Version: hwFHE1_WF6_PTZ_WIFI_20201218 - MAC Address: 1C:A0:EF (Shenzhen Liandian Communication Technology LTD) - Nmap Output: Shows Telnet service (port 23) is open. - Telnet Session: An attacker can use default credentials (username: root, password: gzhangshi) via Telnet to obtain root shell access. 2. Plaintext Wi-Fi Credentials in the File System - Description: Shenzhen Liandian Communication Technology LTD OEM IP cameras (Hardware ID: hwFHE1_WF6_PTZ_WIFI_20201218, Firmware Version: AppFHE1_V1.0.6.0) store plaintext Wi-Fi credentials in the file system. - Impact: An attacker with root shell access to the file system can directly retrieve the Wi-Fi SSID and password. - Details: - Wi-Fi credentials are stored in the file. - The content of this file can be accessed using Linux commands. - Proof of Concept (POC): 3. Reverse Engineering Leads to Exposure of Critical Video Streams - Description: During reverse engineering of the camera's main binary, code for the RTSP streaming worker thread was discovered. - Impact: When RTSP is enabled, the camera allows unauthenticated access to real-time video streams. - Details: - The RTSP enable flag is located in the file. - After modifying , restarting the camera launches the RTSP service. - Real-time video streams can be accessed via the RTSP endpoint without providing credentials. Scope of Impact CVE-2025-7503: - Privilege Escalation: Immediate root access is granted. - Remote Code Execution (RCE): Commands can be executed on the system. - Backdoor Risk: The service is undocumented and invisible to users. - No Fix Available: The vendor has not provided firmware updates or mitigation measures. Plaintext Wi-Fi Credentials: - An attacker with root shell access to the file system can directly retrieve the Wi-Fi SSID and password. RTSP Streaming Exposure: - When RTSP is enabled, the camera allows unauthenticated access to real-time video streams. Remediation CVE-2025-7503: - No firmware updates or mitigation measures have been provided by the vendor. Plaintext Wi-Fi Credentials: - It is recommended to modify the firmware to encrypt the storage of Wi-Fi credentials. RTSP Streaming Exposure: - It is recommended to modify the firmware to require authentication for RTSP streaming. POC Code

Goal Reached Thanks to every supporter — we hit 100%!

Shenzhen Liandian IP Cam CVE-2025-7503 Hardcoded Credentials & Unauthenticated RTSP Exposure

More from this source