External risk intelligence

Attacker can control MERCURY MIPC252W IP cameras to view video or disrupt service

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35903

MERCURY MIPC252W IP cameras have a critical flaw allowing unauthorized control and video access over the network. This could let anyone with access hijack your camera feeds.

5Halo Surface Signal

Authentication Bypass

Mercurycom Mipc252w Firmware

1.0.5

External exposure likelihood

Halo Surface Signal score for CVE-2026-35903

The device is an IP camera designed for remote video surveillance, a class of product notoriously exposed to the internet via port forwarding or UPnP to enable remote viewing. RTSP is inherently used for remote streaming workflows, making this service a common target for external access in real-world deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects MERCURY MIPC252W IP cameras, allowing an attacker to bypass authentication after an initial successful login. The camera fails to properly validate subsequent requests, enabling unauthorized control commands through reused session information. This is concerning because it can lead to unauthorized access to video streams and camera functions.

  • Allows unauthenticated commands.
  • Impacts remote camera control.
  • Accessible from the internet.

Attack Path

How an attacker could exploit the issue

An attacker with network access to a vulnerable MERCURY MIPC252W IP camera can exploit this flaw to gain unauthorized control. They can bypass proper authentication after an initial successful login by reusing session information, allowing them to issue commands like SETUP, PLAY, or TEARDOWN without valid credentials. This could lead to unauthorized video access or disruption of the camera's functions.

  • Network access required.
  • Targets RTSP service.
  • Initial valid session needed.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing due to its critical severity and the potential for unauthenticated remote access to IP cameras, which are often exposed online for surveillance. The ease of exploiting the improper authentication in the RTSP service without needing to compute a valid digest response makes it an attractive target for unauthorized control.

  • No known public exploits exist.
  • The vulnerability is unauthenticated and remotely exploitable.
  • IP cameras are frequently internet-facing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any MERCURY MIPC252W IP cameras running firmware version 1.0.5 Build 230306. This vulnerability allows unauthenticated network attackers to issue unauthorized RTSP commands, potentially leading to unauthorized access and control of the camera's video stream.

  • Block RTSP traffic to affected cameras.
  • Monitor network for unauthorized RTSP commands.
  • Update firmware to a non-vulnerable version.

Frequently asked questions

What is the MERCURY MIPC252W IP camera and what is it used for?

The MERCURY MIPC252W is an IP camera model that utilizes firmware version 1.0.5 Build 230306. These cameras are commonly used for remote video surveillance, allowing users to monitor locations and access video feeds from a distance.

What type of weakness does CVE-2026-35903 describe for the MIPC252W camera?

CVE-2026-35903 describes an improper authentication weakness. Specifically, after an initial valid login using Digest authentication, the camera fails to properly re-verify authentication in subsequent requests within the same session, allowing for unauthorized commands.

What preconditions are needed for an attacker to exploit this camera vulnerability?

An attacker needs network access to the vulnerable camera and must have previously completed a successful initial authentication via the RTSP service. Once a valid session is established, the attacker can reuse session parameters to issue unauthorized commands without needing a valid Digest response.

How likely is it that this camera vulnerability is accessible from the internet?

This vulnerability is classified as external and has a 'Very likely' internet accessibility score. IP cameras are frequently exposed online to enable remote viewing, and the RTSP service, targeted by this flaw, is often used for remote streaming, making it a common internet-facing service.

What should I do if I am running MERCURY MIPC252W IP cameras?

If you are running MERCURY MIPC252W IP cameras with firmware version 1.0.5 Build 230306, you should consider isolating them from the network or taking them offline. Monitoring for unauthorized RTSP traffic is also recommended until a non-vulnerable firmware version can be applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified