Your Eyes, My Eyes: Hacking an IP Camera (CVE Hunt Edition)
This hunt initially started because of my childhood fantasy of doing something like in the movies where i "remotely hack a camera and take control of it". Happy to say that my inner child is satisfied again.
Context
The target: Shenzhen Ningyuanda TC155 IP camera, firmware version 57.0.2.0. Exposed services included ONVIF for camera control and RTSP for video streaming. The assumption? That anyone talking to it on the network could be trusted.
Spoiler: they weren’t.
Threat Model / Attacker Position
From a network-adjacent position without credentials and no prior access, I started probing the camera through nmap, a custom tool i made on the fly for scanning ONVIF, and other tools available at my disposal.
What I found wasn’t overly complex exploits, it was missing boundaries by overly trusting an unknown environment (with primarily missing authentication as the root cause), and missing sanity checks internally within the camera's firmware.
Over the course of testing, I uncovered four unauthenticated vulnerabilities, RTSP stream you could just… watch, and straight up full camera PTZ control (yikes!). Each of these got its own CVE, and each one reinforced the same lesson:
this camera was like a little kid, too gullible and trusting
The CVEs
CVE-2025-14746 - Unauthenticated RTSP Stream Access
Self explanatory. Any adversary within the network can remotely view the camera. This is a recipe for breaking someone else's private space and privacy if misconfigured and exposed to the internet.
CVE-2025-14747 - Unauthenticated Malformed RTSP DESCRIBE Request Leading to Device Reboot
The TC155 IP Camera, manufactured by Shenzhen Ningyuanda Technology Co., Ltd., exposes an unauthenticated RTSP service on port 554. Any attacker within the local network can send a malformed RTSP DESCRIBE request to this service. When processed, the camera enters a fault state that triggers an automatic reboot, causing a temporary loss of video feed and resulting in a repeatable denial-of-service condition.
this is just pure evil, you can crash the device remotely by just sending python2 -c "print 'DESCRIBE ' + 'A'*1000 + ' RTSP/1.0\r\n\r\n'" | nc <camera-ip> 554
CVE-2025-14748 - Unauthenticated Hard Reset via ONVIF SetSystemFactoryDefault
The TC155 IP Camera exposes the ONVIF Device Management service without authentication. An attacker on the local network can invoke the SetSystemFactoryDefault action with FactoryDefault=Hard, resulting in a full factory reset, loss of configuration, and temporary loss of availability. No credentials are required.
Simply put, you can hard reset the device remotely...... without authentication...
The Knockout Punch: CVE-2025-14749 - Unauthenticated ONVIF PTZ Interface Allows Full Remote Camera Direction Control
The TC155 IP Camera exposes its ONVIF PTZ control interface without requiring any form of authentication. The PTZ service endpoint (/onvif/deviceservice) is active and accepts movement commands from any network peer.
An unauthenticated attacker on the same network segment can issue ContinuousMove actions against the camera’s PTZ motor. This allows repositioning the camera to redirect or suppress its field of view, bypass surveillance coverage, or force persistent disorientation of the device.
The vulnerability exists due to the firmware accepting PTZ SOAP requests without validating the requester’s identity or enforcing profile‑level capability checks.
This one's the scariest, on a physical red team operation this would be the killing blow, as the operators can move freely within a place by just repositioning the camera's field of vision. Combining with CVE-2025-14746, you can both see where the camera's angle before, during, and after you've moved the camera.
Vendor Response
The vendor did not respond to multiple contact attempts. At the time of writing, there is a strong possibility these issues will remain unpatched.
Conclusion
If you have to buy surveillance, buy from a reputable company. IoT's who trusts everything around it by default doesn't age well.