Critical Xiongmai IP Camera Flaw Lets Attackers Bypass Authentication
Key Takeaways A critical authentication bypass flaw has been discovered in specific Xiongmai IP camera firmware. The vulnerability, CVE-2025-65856, allows unauthenticated attackers to gain full...
Key Takeaways
- A critical authentication bypass flaw has been discovered in specific Xiongmai IP camera firmware.
- The vulnerability, CVE-2025-65856, allows unauthenticated attackers to gain full control over affected XM530 IP cameras.
- With a CVSS v3 score of 9.8, the flaw poses a severe risk of unauthorized surveillance and data exfiltration.
- No patch is currently available from the vendor, but CISA has issued mitigation recommendations.
Hangzhou Xiongmai Technology’s XM530 IP Cameras, widely deployed for commercial surveillance, are vulnerable to a critical authentication bypass flaw that could allow unauthorized access to live feeds and device controls. This severe vulnerability undermines the intended security function of these devices, potentially exposing sensitive commercial facilities to significant risk.
Table Of Content
Designated as CVE-2025-65856 and tracked under the alert code ICSA-26-113-05, the flaw enables cybercriminals to circumvent authentication mechanisms entirely. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on April 23, 2026, highlighting the urgent need for organizations globally to address the potential for unauthorized remote access.
Technical Details and Impact
The root cause of CVE-2025-65856 lies in a missing authentication check for a critical function within the camera’s firmware. This oversight means the device’s software fails to properly verify user credentials before granting administrative privileges, effectively creating a backdoor for attackers.
This critical vulnerability has been assigned a maximum CVSS v3 score of 9.8 out of 10, underscoring its severity. The flaw specifically impacts firmware version XM530V200_X6-WEQ_8M V5.00.R02.000807D8.10010. 346624.S. ONVIF_21.06.
Successful exploitation by an unauthenticated attacker on the network could lead to comprehensive control over the affected camera. This includes the ability to view live video feeds, alter camera settings, and extract sensitive data directly from the device, bypassing all login screens.
Public Exploit Code Raises Threat Level
Security researcher Luis Miranda Acebedo developed and publicly released a working Proof of Concept (PoC) exploit for this vulnerability. CISA identified this public code and promptly reported it for official tracking by MITRE.
While CISA has not yet reported any active cyberattacks targeting this specific flaw in the wild, the public availability of a PoC significantly escalates the threat. Such code provides a readily available blueprint, simplifying the process for malicious actors to launch automated attacks against vulnerable devices.
Given the widespread deployment of Xiongmai IP cameras in commercial facilities globally, thousands of businesses could be unknowingly exposed to unauthorized surveillance. As these Internet of Things (IoT) devices are frequently positioned in sensitive areas, organizations must take immediate proactive measures to prevent potential security breaches.
What You Should Do
- Immediately disconnect control system devices, including IP cameras, from the public internet to minimize exposure.
- Implement strict firewall rules to isolate camera networks and other remote devices from internal business networks.
- Utilize secure Virtual Private Networks (VPNs) for any necessary remote access to cameras, ensuring all VPN software is updated to the latest versions.
- Conduct a thorough impact analysis and risk assessment before deploying new defensive network measures.
- Educate staff on cybersecurity best practices, particularly regarding suspicious web links and email attachments, to prevent related social engineering attacks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.