CVE-2026-12527

An unauthenticated network attacker first gains root shell access to the device, for example via the undocumented Telnet service with hard-coded credentials (CVE-2025-7503) [ref_id=1]. With root access, the attacker modifies the `rtsp_enable` value in `/mnt/mtd/mvconf/factory_const.ini` to 1 and reboots the camera. After reboot, the RTSP service starts and exposes the live video feed without requiring any credentials, allowing the attacker to directly retrieve real-time video stream data over the network [ref_id=1].

The vulnerability resides in the RTSP streaming worker thread within the camera's main binary ("recorder"). The firmware reads the `rtsp_enable` flag from `/mnt/mtd/mvconf/factory_const.ini` and, when set to 1, starts the RTSP/ONVIF services without enforcing the normal authentication and authorization checks that protect the live video stream [ref_id=1].

The advisory does not provide a patch or vendor fix. The researcher notes that the vendor has not released any firmware updates or mitigations [ref_id=1]. To close the vulnerability, the camera's RTSP service would need to enforce the same authentication and authorization checks that protect the normal live-view workflow, rather than relying solely on a configuration flag that can be trivially modified by an attacker with root access.