External risk intelligence

MERCURY MIPC252W RTSP Service Denial of Connection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-51599

The vulnerability affects an RTSP service on a consumer network camera. Such devices are commonly deployed with their management or streaming services exposed to the internet, either directly or via port forwarding, to facilitate remote viewing and monitoring features.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the RTSP service of MERCURY MIPC252W devices. An attacker could exploit this by sending a malformed request to temporarily disable a device's network connection. The main concern is confirming relevance and exposure to this type of device.

  • Malformed requests can disrupt camera connections.
  • Critical flaw impacts remote viewing capabilities.
  • Verify if affected devices are in use.

Attack Path

How an attacker could exploit the issue

An attacker can target a camera's Real-Time Streaming Protocol (RTSP) service, which is often exposed externally. By sending a specially crafted RTSP request, the attacker can disrupt the service, making the camera temporarily unresponsive to legitimate requests. This disruption can hinder the camera's ability to provide video streams or accept further commands.

  • No authentication is required.
  • Sending a malformed RTSP request.
  • Disrupts camera service availability.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated remote attacker could disrupt the functionality of the RTSP service by sending malformed requests. This could cause individual TCP connections to become temporarily unusable by entering a body-waiting state, leading to subsequent data being silently consumed until the connection times out.

  • Disruption of RTSP service availability.
  • Malformed requests sent over network.
  • Temporary connection inoperability.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world ownership of this vulnerability likely falls to teams managing IoT devices or the network infrastructure that exposes them, potentially including platform or security operations. The immediate first step is to inventory all MERCURY MIPC252W devices, assess their network exposure and business criticality, identify the asset owner, and then coordinate remediation efforts.

  • Identify affected asset owners.
  • Verify network exposure and criticality.
  • Plan coordinated remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the MERCURY MIPC252W and how is it used?

The MERCURY MIPC252W is a network-connected consumer security camera. It uses the Real-Time Streaming Protocol (RTSP) to transmit video data. Users typically deploy these devices for remote monitoring and surveillance, relying on the RTSP service to stream live video feeds to connected clients or management software.

What does CVE-2026-51599 mean?

This vulnerability is an instance of Improper Input Validation (CWE-20). It occurs because the camera's RTSP service fails to correctly handle malformed data. When the device receives a request claiming to have a message body that is actually missing, it gets stuck waiting for that missing information, effectively locking up the communication channel for that specific connection.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted RTSP request containing a 'Content-Length' header but omitting the expected message body. Notably, sending a valid, complete RTSP request with a properly formatted body does not trigger this issue. The vulnerability specifically exploits the device's failure to reject incomplete requests, forcing it into a dead-end state.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal identifies this as a likely risk because these cameras are frequently exposed to the internet. If your device is directly connected to the web or accessible via port forwarding for remote viewing, it faces a higher probability of being targeted compared to devices restricted to internal, isolated networks.

What should I do if I use this camera?

Start by performing an inventory to locate all MERCURY MIPC252W units in your environment. Determine if these cameras are accessible from the internet and evaluate how critical they are to your operations. Once identified, contact the device owner to discuss plans for limiting network access or applying future updates that address the RTSP service instability.

References