CISA 2026-04-23

Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera

CVE-2025-65856

Machine-generated analysis · WAYSCloud LLM

The advisory notes that the vendor has not responded to CISA mitigation requests. Unauthenticated access to 31 specific ONVIF endpoints allows full video stream capture.

Context

The affected product is the Hangzhou Xiongmai XM530 IP Camera, specifically firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06. The advisory states that the ONVIF implementation fails to enforce authentication on 31 endpoints, allowing unauthenticated remote attackers to access live video streams and sensitive device information. The advisory explicitly lists commercial facilities as the critical infrastructure sector where these cameras are deployed.

Operator considerations

Check: Inventory for XM530 cameras with the specified firmware version.
Isolate: Segment affected cameras from internet access and restrict network access to trusted hosts only.
Log: Monitor network traffic for unauthenticated requests to ONVIF endpoints on port 80/554.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could allow an attacker to bypass authentication and have remote access to sensitive information on the device.

The following versions of Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera are affected:

IP Camera XM530V200_X6-WEQ_8M firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 (CVE-2025-65856)

Vendor

Equipment

Hangzhou Xiongmai Technology Co., Ltd

Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera

Missing Authentication for Critical Function

Critical Infrastructure Sectors: Commercial Facilities

Countries/Areas Deployed: Worldwide

Company Headquarters Location: China

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation...

Read the full advisory on CISA →