Search criteria
1 vulnerability by Xiami
CVE-2025-6532 (GCVE-0-2025-6532)
Vulnerability from cvelistv5 – Published: 2025-06-24 00:00 – Updated: 2025-06-25 15:02
VLAI
Title
NOYAFA/Xiami LF9 Pro RTSP Live Video Stream Endpoint access control
Summary
A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names.
Severity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.313651 | vdb-entry |
| https://vuldb.com/?ctiid.313651 | signaturepermissions-required |
| https://vuldb.com/?submit.595453 | third-party-advisory |
| https://github.com/geo-chen/LF9 | related |
| https://github.com/geo-chen/LF9?tab=readme-ov-fil… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6532",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T14:58:54.398177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T15:02:47.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/geo-chen/LF9?tab=readme-ov-file#finding-1-unauthenticated-access-of-livestream-and-download-of-video-recordings"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"RTSP Live Video Stream Endpoint"
],
"product": "LF9 Pro",
"vendor": "NOYAFA",
"versions": [
{
"status": "affected",
"version": "20250611"
}
]
},
{
"modules": [
"RTSP Live Video Stream Endpoint"
],
"product": "LF9 Pro",
"vendor": "Xiami",
"versions": [
{
"status": "affected",
"version": "20250611"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "geochen (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names."
},
{
"lang": "de",
"value": "In NOYAFA/Xiami LF9 Pro bis 20250611 wurde eine problematische Schwachstelle entdeckt. Das betrifft eine unbekannte Funktionalit\u00e4t der Komponente RTSP Live Video Stream Endpoint. Durch Manipulieren mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann im lokalen Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T00:00:08.696Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-313651 | NOYAFA/Xiami LF9 Pro RTSP Live Video Stream Endpoint access control",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.313651"
},
{
"name": "VDB-313651 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.313651"
},
{
"name": "Submit #595453 | HiDvr dashcam LF9 Pro Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.595453"
},
{
"tags": [
"related"
],
"url": "https://github.com/geo-chen/LF9"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/geo-chen/LF9?tab=readme-ov-file#finding-1-unauthenticated-access-of-livestream-and-download-of-video-recordings"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-23T16:26:46.000Z",
"value": "VulDB entry last update"
}
],
"title": "NOYAFA/Xiami LF9 Pro RTSP Live Video Stream Endpoint access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-6532",
"datePublished": "2025-06-24T00:00:08.696Z",
"dateReserved": "2025-06-23T14:21:33.110Z",
"dateUpdated": "2025-06-25T15:02:47.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}