External risk intelligence

MERCURY MIPC252W RTSP Authentication Bypass Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-51597

The vulnerability affects an IP camera using RTSP for video streaming. While IP cameras are often placed on local networks, they are also frequently exposed to the internet via port forwarding or UPnP for remote viewing, making internet accessibility possible depending on the specific deployment configuration.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in MERCURY MIPC252W IP cameras related to improper handling of authentication. An attacker on the local network could potentially replay authentication data to bypass security and gain unauthorized access to the live video stream. The primary concern is to confirm if this type of device is in use and exposed.

  • Replay attacks can bypass camera security.
  • Confirms if vulnerable cameras are deployed.
  • Ensure no unauthorized video access.

Attack Path

How an attacker could exploit the issue

An attacker on the same network as an IP camera could capture a valid login attempt. By reusing parts of that captured login, the attacker could then bypass the camera's security and view the live video feed.

  • Attacker must be on the local network.
  • Replay a captured authentication exchange.
  • Gain unauthorized access to video stream.

Live Threat

Current exploitation, exposure, and threat context

An adjacent network attacker could replay authentication exchanges to bypass device credentials, potentially gaining unauthorized access to live video streams from the IP camera. This is possible when the camera's RTSP Digest authentication does not properly implement nonce expiration, allowing an attacker to reuse captured authentication data.

  • Live video streams
  • Replay authentication exchanges
  • Unauthorized live video access

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects IP cameras, and ownership typically resides with teams responsible for IoT devices or video surveillance systems, often in coordination with network and security teams. The first practical step is to identify all deployed cameras, determine their network exposure, and confirm if they are business-critical or accessible from untrusted networks. This information will guide the accountable owner in planning appropriate remediation.

  • Identify and inventory affected devices.
  • Verify network exposure and criticality.
  • Plan remediation or implement controls.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the MERCURY MIPC252W and how is it used?

The MERCURY MIPC252W is an IP-based camera model designed to capture and stream video over a network. Users typically deploy these devices for remote surveillance and monitoring tasks, relying on them to transmit live video feeds to authorized viewers via the Real Time Streaming Protocol (RTSP).

What does CVE-2026-51597 mean by an authentication bypass?

This vulnerability involves a weakness classified as CWE-294, which refers to an 'Authentication Bypass by Capture-Replay.' Essentially, the camera fails to require fresh, unique credentials for every login attempt. Because the device does not expire its authentication tokens, an attacker can capture a previous valid login exchange and reuse it to trick the camera into granting access without needing the actual password.

How does an attacker trigger this replay vulnerability?

An attacker must be on the same local network as the camera to intercept an active authentication exchange between a legitimate user and the device. It is important to note that this bug is not triggered by remote guessing of passwords or brute-force attacks; it specifically relies on the ability to capture and subsequently replay the specific sequence of data that the camera incorrectly accepts as valid.

Is my camera at risk according to Halo Surface Signal?

Halo Surface Signal indicates that while these cameras are often located on internal networks, they are frequently made accessible via the internet through port forwarding or UPnP configurations for remote viewing. If your device is configured to be reachable from outside your local network, the risk of an external attacker exploiting this flaw is significantly higher.

What should I do if I have these cameras on my network?

Your first step is to locate and inventory all deployed MIPC252W units. Once identified, evaluate whether each device needs to be reachable from the internet; if not, disable port forwarding or remove the device from untrusted networks. Coordinate with your team responsible for IoT surveillance to determine the best path forward while ensuring that no unauthorized users have access to your video streams.

References