Description
A broken authorization boundary in the RTSP media delivery pipeline of Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1_V1.0.6.020230803 enables unauthenticated network actors to bypass the device’s credential-enforced live-view workflow and directly retrieve real-time video stream data.
Published: 2026-06-18
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A broken authorization boundary in the RTSP media delivery pipeline of the V380 IP Camera allows unauthenticated network actors to bypass the device’s credential‑enforced live‑view workflow and directly retrieve real‑time video stream data. This compromises the confidentiality of live video feeds, enabling potential surveillance or data exfiltration. The weakness is a classic authentication bypass (CWE‑306).

Affected Systems

Shenzhen Liandian Communication Technology LTD’s V380 IP Camera, running firmware AppFHE1 V1.0.6.020230803. No other versions or products are documented as affected.

Risk and Exploitability

With a CVSS score of 6, the vulnerability carries moderate impact and may be exploitable over the network wherever RTSP services are exposed. The EPSS score is not available, and the issue is currently not listed in CISA’s KEV catalog. Attackers can exploit it by sending unauthenticated RTSP requests from any remote network location, receiving real‑time video without requiring credentials. The likely attack vector is remote network access via the RTSP service.

Generated by OpenCVE AI on June 18, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a firmware version that fixes the broken authorization boundary.
  • Configure firewall or router rules to block incoming RTSP traffic from untrusted networks, allowing only controlled IP ranges.
  • Deploy network segmentation or a virtual LAN for security cameras, and implement traffic monitoring or intrusion detection to alert on suspicious RTSP connections.

Generated by OpenCVE AI on June 18, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Broken Authorization Leading to Unauthenticated Live Video Exposure on V380 IP Camera

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A broken authorization boundary in the RTSP media delivery pipeline of Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1_V1.0.6.020230803 enables unauthenticated network actors to bypass the device’s credential-enforced live-view workflow and directly retrieve real-time video stream data.
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/V:C/U:Red'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Toreon

Published:

Updated: 2026-06-18T14:54:30.902Z

Reserved: 2026-06-17T13:45:59.689Z

Link: CVE-2026-12527

cve-icon Vulnrichment

Updated: 2026-06-18T14:54:24.767Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function