{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12108", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-10-23T13:00:09.658Z", "datePublished": "2025-11-04T18:43:54.147Z", "dateUpdated": "2025-11-05T14:46:47.761Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "License Plate Recognition Camera", "vendor": "Survision", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Souvik Kandar of Microsec (microsec.io) reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check.</p>"}], "value": "The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-04T18:43:54.147Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Survision has released the following versions for users to update to:</p><ul><li>License Plate Recognition LPR Camera: Firmware version v3.5</li></ul><p>Survision recommends users to enable the configuration password authentication by defining users and roles with minimal rights in the user management system and, where possible, enforce client certificate authentication.</p><p>For future deployments, plan for integration of the new login/password mechanism and update your installation procedures accordingly.</p><ul><li>On previous versions (inferior to 3.5)</li></ul><p>Survision recommends activating the \"lock\" password in the security parameters and, where possible, enforce client certificate authentication.</p><p>For more information, contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://survisiongroup.com/post-contact\">Survision</a>.</p>\n\n<br>"}], "value": "Survision has released the following versions for users to update to:\n\n * License Plate Recognition LPR Camera: Firmware version v3.5\n\n\nSurvision recommends users to enable the configuration password authentication by defining users and roles with minimal rights in the user management system and, where possible, enforce client certificate authentication.\n\nFor future deployments, plan for integration of the new login/password mechanism and update your installation procedures accordingly.\n\n * On previous versions (inferior to 3.5)\n\n\nSurvision recommends activating the \"lock\" password in the security parameters and, where possible, enforce client certificate authentication.\n\nFor more information, contact Survision https://survisiongroup.com/post-contact ."}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authentication for Critical Function Survision License Plate Recognition Camera", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T14:46:38.607408Z", "id": "CVE-2025-12108", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:46:47.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-05T14:46:38.607408Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:46:44.099Z"}}], "cna": {"title": "Missing Authentication for Critical Function Survision License Plate Recognition Camera", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Souvik Kandar of Microsec (microsec.io) reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Survision", "product": "License Plate Recognition Camera", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Survision has released the following versions for users to update to:\n\n * License Plate Recognition LPR Camera: Firmware version v3.5\n\n\nSurvision recommends users to enable the configuration password authentication by defining users and roles with minimal rights in the user management system and, where possible, enforce client certificate authentication.\n\nFor future deployments, plan for integration of the new login/password mechanism and update your installation procedures accordingly.\n\n * On previous versions (inferior to 3.5)\n\n\nSurvision recommends activating the \"lock\" password in the security parameters and, where possible, enforce client certificate authentication.\n\nFor more information, contact Survision https://survisiongroup.com/post-contact .", "supportingMedia": [{"type": "text/html", "value": "<p>Survision has released the following versions for users to update to:</p><ul><li>License Plate Recognition LPR Camera: Firmware version v3.5</li></ul><p>Survision recommends users to enable the configuration password authentication by defining users and roles with minimal rights in the user management system and, where possible, enforce client certificate authentication.</p><p>For future deployments, plan for integration of the new login/password mechanism and update your installation procedures accordingly.</p><ul><li>On previous versions (inferior to 3.5)</li></ul><p>Survision recommends activating the \"lock\" password in the security parameters and, where possible, enforce client certificate authentication.</p><p>For more information, contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://survisiongroup.com/post-contact\">Survision</a>.</p>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-02", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check.", "supportingMedia": [{"type": "text/html", "value": "<p>The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-04T18:43:54.147Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12108", "state": "PUBLISHED", "dateUpdated": "2025-11-05T14:46:47.761Z", "dateReserved": "2025-10-23T13:00:09.658Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-11-04T18:43:54.147Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check."}], "id": "CVE-2025-12108", "lastModified": "2025-11-04T19:17:09.740", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-11-04T19:17:09.740", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"created": "2025-11-05T10:47:19.370337+00:00", "updated": "2025-11-05T10:47:19.370362+00:00", "vendors": ["survision", "survision$PRODUCT$license_plate_recognition_camera"]}