Xiongmai IP camera flaw lets attackers bypass authentication and access devices remotely
4 min. read 
Published on
A critical vulnerability in Hangzhou Xiongmai’s XM530 IP cameras can let attackers bypass authentication and gain remote access to sensitive functions without valid credentials. The flaw is tracked as CVE-2025-65856, and CISA published industrial control systems advisory ICSA-26-113-05 on April 23, 2026.
The issue affects Xiongmai XM530 IP cameras running firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. GitHub’s advisory database, which mirrors NVD data here, describes the bug as an authentication bypass in the camera’s ONVIF implementation.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The impact is serious because the vulnerable ONVIF service reportedly fails to enforce authentication on 31 critical endpoints. That can expose live video streams, device information, network settings, and other administrative data to an unauthenticated remote attacker. The flaw carries a CVSS 3.1 score of 9.8, which places it in the critical range.
What the vulnerability does
According to the public technical writeup from researcher Luis Miranda Acebedo, the camera accepts unauthenticated SOAP requests on ONVIF endpoints that should require WS-Security authentication. The researcher says that standard ONVIF authentication can be bypassed entirely because the device does not validate those security headers correctly.
The exposed endpoints include functions such as GetDeviceInformation, GetUsers, GetStreamUri, GetSnapshotUri, GetNetworkInterfaces, and GetNetworkProtocols. In practice, that means an attacker may be able to pull hardware and firmware details, enumerate users, retrieve stream locations, and inspect network settings without logging in first.
The researcher also says the flaw can expose relay and PTZ-related functions on some devices, which raises the risk beyond passive spying. In the worst case, a remotely reachable camera could become both a surveillance target and a foothold for wider internal network reconnaissance.
Why this is a bigger problem than one camera model
Xiongmai is a major OEM supplier whose hardware is often sold under many different brand names. The researcher specifically notes ANBIUX as one commercial brand and says the XM530 platform is widely rebranded, which means the same vulnerable base hardware may appear in different products and listings.
That is one reason flaws in low-cost IP cameras often linger. Security teams may not realize they are running the same underlying firmware because the device label on the box differs from the actual OEM platform inside it.
There is also a practical response problem. GitHub’s advisory page lists patched versions as unknown, and the researcher’s public writeup says no patch is currently available and that vendor contact attempts did not receive a response.
At a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2025-65856 |
| Advisory | ICSA-26-113-05 |
| Vendor | Hangzhou Xiongmai Technology Co., Ltd. |
| Affected product | XM530 IP camera |
| Affected firmware | V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 |
| Severity | Critical, CVSS 9.8 |
| Main issue | Authentication bypass in ONVIF |
| Patch status | Patched versions unknown |
Source basis: CISA advisory listing, GitHub Advisory Database, and the researcher’s public technical repository.
What organizations should do now
- Remove affected cameras from direct internet exposure. The researcher recommends isolated VLANs, strict firewall rules, and VPN-only remote access.
- Block inbound access to ports commonly used by the device, including 80, 8000, 8080, 8899, and 554, unless access is strictly required.
- Check whether ONVIF can be disabled on the device and turn it off if your deployment does not need it.
- Treat rebranded XM530-based cameras as potentially affected until you confirm the exact hardware and firmware. The public writeup says the issue likely affects
V5.00.R02.*builds beyond the one tested version. - Consider replacing exposed or unpatchable units in sensitive environments. The researcher explicitly recommends replacement if a secure update path is not available.
FAQ
It is a critical authentication bypass vulnerability in Xiongmai XM530 IP cameras. Public advisories say the flaw affects the ONVIF implementation and can let unauthenticated attackers access sensitive device functions.
The named affected firmware is V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The researcher also says other V5.00.R02.* versions may be affected, but that broader scope has not been formally confirmed in the advisory snippet I reviewed.
The issue has a CVSS 3.1 score of 9.8 and is rated critical. GitHub’s advisory page says it is network-exploitable, requires no privileges, and needs no user interaction.
I did not find a confirmed patched version in the sources reviewed. GitHub’s advisory page lists patched versions as unknown, and the researcher says no patch is currently available.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages