{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13607", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-11-24T14:53:22.497Z", "datePublished": "2025-12-10T17:15:54.014Z", "dateUpdated": "2025-12-11T19:00:24.673Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "DCS-F5614-L1", "vendor": "D-Link", "versions": [{"lessThanOrEqual": "1.03.038", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Souvik Kandar"}], "datePublic": "2025-12-09T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.</p>"}], "value": "A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-12-10T20:50:50.374Z"}, "references": [{"name": "url", "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10462"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-343-03.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "D-Link has released a security advisory and a software update for the affected camera model. Please visit this <a target=\"_blank\" rel=\"nofollow\" href=\"https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10462\">D-Link Security Announcement</a>&nbsp;for further information.<p>D-Link strongly urges all users to install the relevant updates and \nregularly check for further updates. After downloading the software \nupdate, it is essential to ALWAYS validate its success by comparing the \nsoftware version on your product interface to the software update \nversion.</p>\n<p>The model number listed in this advisory is known only for D-Link \nIndia Limited. Users of cameras produced by the other listed vendors are\n encouraged to evaluate this vulnerability within their environment.</p>\n\n<br>"}], "value": "D-Link has released a security advisory and a software update for the affected camera model. Please visit this D-Link Security Announcement https://supportannouncement.us.dlink.com/security/publication.aspx \u00a0for further information.D-Link strongly urges all users to install the relevant updates and \nregularly check for further updates. After downloading the software \nupdate, it is essential to ALWAYS validate its success by comparing the \nsoftware version on your product interface to the software update \nversion.\n\n\nThe model number listed in this advisory is known only for D-Link \nIndia Limited. Users of cameras produced by the other listed vendors are\n encouraged to evaluate this vulnerability within their environment."}], "source": {"advisory": "ICSA-25-343-03", "discovery": "EXTERNAL"}, "title": "D-Link CCTV camera model DCS-F5614-L1 Missing Authentication for Critical Function", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-11T18:29:06.920491Z", "id": "CVE-2025-13607", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T19:00:24.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-11T18:29:06.920491Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T18:29:11.040Z"}}], "cna": {"title": "D-Link CCTV camera model DCS-F5614-L1 Missing Authentication for Critical Function", "source": {"advisory": "ICSA-25-343-03", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Souvik Kandar"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "D-Link", "product": "DCS-F5614-L1", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.03.038"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "D-Link has released a security advisory and a software update for the affected camera model. Please visit this D-Link Security Announcement https://supportannouncement.us.dlink.com/security/publication.aspx \u00a0for further information.D-Link strongly urges all users to install the relevant updates and \nregularly check for further updates. After downloading the software \nupdate, it is essential to ALWAYS validate its success by comparing the \nsoftware version on your product interface to the software update \nversion.\n\n\nThe model number listed in this advisory is known only for D-Link \nIndia Limited. Users of cameras produced by the other listed vendors are\n encouraged to evaluate this vulnerability within their environment.", "supportingMedia": [{"type": "text/html", "value": "D-Link has released a security advisory and a software update for the affected camera model. Please visit this <a target=\"_blank\" rel=\"nofollow\" href=\"https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10462\">D-Link Security Announcement</a>&nbsp;for further information.<p>D-Link strongly urges all users to install the relevant updates and \nregularly check for further updates. After downloading the software \nupdate, it is essential to ALWAYS validate its success by comparing the \nsoftware version on your product interface to the software update \nversion.</p>\n<p>The model number listed in this advisory is known only for D-Link \nIndia Limited. Users of cameras produced by the other listed vendors are\n encouraged to evaluate this vulnerability within their environment.</p>\n\n<br>", "base64": false}]}], "datePublic": "2025-12-09T00:00:00.000Z", "references": [{"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10462", "name": "url"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-343-03.json"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.", "supportingMedia": [{"type": "text/html", "value": "<p>A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-12-10T20:50:50.374Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13607", "state": "PUBLISHED", "dateUpdated": "2025-12-11T19:00:24.673Z", "dateReserved": "2025-11-24T14:53:22.497Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-12-10T17:15:54.014Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL."}], "id": "CVE-2025-13607", "lastModified": "2025-12-10T21:16:03.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-12-10T18:16:18.157", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-343-03.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10462"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}

{"created": "2025-12-10T21:33:12.785471+00:00", "updated": "2025-12-10T21:33:12.785496+00:00", "vendors": ["d-link", "d-link$PRODUCT$dcs-f5614-l1"]}