External risk intelligence

Xiongmai XM530 Cameras Vulnerable to ONVIF Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-65856

This vulnerability affects IP cameras that provide video stream access via ONVIF protocols. Such devices are frequently exposed directly to the internet to facilitate remote monitoring, and the nature of the service requires external reachability for normal functionality.

Missing Authentication

Xiongmaitech Xm530v200 X6 Weq 8m Firmware

5.00.r02.000807d8.10010.346624.s.onvif_21.06

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical authentication bypass vulnerability affecting certain Xiongmai IP cameras. The issue allows unauthenticated attackers to access sensitive device information and live video streams by exploiting weaknesses in the ONVIF implementation. The primary concern is confirming relevance and exposure due to the potential for unauthorized video access.

  • Unauthenticated attackers can access live camera video.
  • Critical flaw in camera video stream access.
  • Confirm if these cameras are in use.

Attack Path

How an attacker could exploit the issue

Attackers can bypass authentication on vulnerable IP cameras to access live video feeds and sensitive device information. This is possible because a flaw in the ONVIF implementation allows unauthenticated remote access to specific device functions.

  • No authentication required to access.
  • Bypasses authentication on critical endpoints.
  • Unauthorized access to live video and device information.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could expose sensitive device information and live video streams from affected IP cameras. The issue lies in the ONVIF implementation, which may not properly enforce authentication on certain endpoints, allowing unauthenticated remote attackers to access these streams.

  • Sensitive device information and live video streams.
  • Unauthorized access to unauthenticated endpoints.
  • Exposure of surveillance video and camera data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Xiongmai IP cameras, specifically affecting the ONVIF implementation, likely falls under the responsibility of infrastructure or IoT device management teams. The initial practical step is to identify all deployed cameras using the affected technology, determine their network exposure and business criticality, and pinpoint the accountable owner before planning any remediation.

  • Identify and confirm camera ownership.
  • Verify network exposure and criticality.
  • Plan phased remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Xiongmai XM530 camera technology?

The Xiongmai XM530 is a hardware platform used in IP-based surveillance cameras. These devices utilize the ONVIF protocol, an industry standard designed to allow different video equipment to communicate and share data, such as live video feeds and configuration information, across a network.

What does CWE-306 mean for CVE-2025-65856?

This vulnerability is classified as CWE-306, which refers to 'Missing Authentication for Critical Function.' In plain terms, the camera's software fails to verify who is asking for data before granting access. Because of this oversight, the system treats unauthorized external requests as if they were coming from a trusted, logged-in administrator.

How do attackers trigger this authentication bypass?

Attackers exploit this by sending direct requests to specific, sensitive web addresses—known as endpoints—on the camera that should require a login but do not. The vulnerability specifically affects 31 of these critical endpoints. Simply interacting with non-sensitive features or using standard, authenticated management tools does not trigger this flaw; it is the deliberate misuse of these unprotected access points that allows the data theft.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal notes that this vulnerability is 'Very likely' to be relevant for internet-facing systems. Because these cameras rely on external network connectivity to function as remote monitoring tools, they are frequently positioned where they can be reached from the public internet, which provides the necessary path for an attacker to exploit the authentication gap.

What is the first step to take if I use these cameras?

Your priority is to establish a full inventory of all deployed Xiongmai XM530 units. Once identified, evaluate whether these devices need to be accessible from the open internet or if they can be moved behind a firewall or restricted network segment. Pinpointing the exact ownership and business function of these cameras is essential before applying further risk mitigation strategies.

References