CVE-2017-8405
Description
An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary loads at address 0x00012CF4 a flag called "Authenticate" that indicates whether a user should be authenticated or not before allowing access to the video feed. By default, the value for this flag is zero and can be set/unset using the HTTP interface and network settings tab as shown below. The device requires that a user logging to the HTTP management interface of the device to provide a valid username and password. However, the device does not enforce the same restriction by default on RTSP URL due to the checkbox unchecked by default, thereby allowing any attacker in possession of external IP address of the camera to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DCS-1130 and DCS-1100 cameras allow unauthenticated RTSP access to live video feed due to default disabled authentication flag.
Vulnerability
The RTSP daemon (rtspd) on D-Link DCS-1130 and DCS-1100 devices reads a flag named Authenticate at address 0x00012CF4 to decide whether to require authentication before granting access to the video feed. By default, this flag is set to zero, meaning authentication is disabled for RTSP connections. The HTTP management interface does require valid credentials, but the same restriction is not enforced for RTSP URLs. This affects all firmware versions of these models [1].
Exploitation
An attacker needs only the external IP address of the camera. No authentication, user interaction, or special network position is required. The attacker can directly connect to the RTSP stream (e.g., using a media player or rtsp:///...) and view the live video feed without any credentials [1].
Impact
Successful exploitation results in unauthorized viewing of the live video feed, leading to a breach of confidentiality. The attacker gains no other privileges or control over the device, but the privacy of the camera's surroundings is compromised. Given that over 100,000 such devices are deployed, the potential for widespread surveillance is significant [1].
Mitigation
No official firmware update has been released to address this issue as of the publication date. Users can manually enable authentication for RTSP access by logging into the HTTP management interface and checking the appropriate checkbox in the network settings tab. This workaround ensures that the Authenticate flag is set to 1, requiring credentials for RTSP connections [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- D-Link/DCS-1130 and DCS-1100 devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.