IPC device ONVIF bypasses identity authentication
Warning number: GL-2025-0002
Initial release time: 2025-3-20
Update release time: Released with version plan
Summary:
an IPC device provides ONVIF services, several APIs do not have identity authentication added. This allows the configuration of the ONVIF server (the IPC device) to be changed by bypassing identity authentication.
This vulnerability has been assigned a CVE ID of: None .
Vulnerability information is provided by the customer.
Sphere of impact:
Affected versions and models:
IPC 8.2.3
IPC 8.2.4
| Name | Version | Model |
|---|---|---|
|
IPC |
8.2.3 |
NT98528 SSC369G |
|
IPC |
8.2.4 |
SC335X SC327DE 339G 338G 30KQ 338Q NT98525 NT98528 NT98529 AX620A SC379G NT98566 SSC369G |
Impact and consequences:
If the device is not exposed to the public network, the impact is not significant. However, for devices exposed to the public network, some parameters may be modified.
Vulnerability Scoring:
none.
Technical details:
Vulnerability details:
Some ONVIF APIs do not have authentication enabled, which may result in malicious tampering of device parameters and data loss.
Temporary workaround:
Few devices are exposed to the public network, so no workaround is available yet. We will update this plan later.
Solution and version update plan:
Solution:
Check the API provided by the device and add identity verification.
Version update plan:
Updated with C1.2 version.
Version acquisition method:
None
Vulnerability information sources and vulnerability exploitation:
We are currently not aware of any other public channels publishing the vulnerabilities mentioned in this article, nor are we aware of any cases where the vulnerabilities have been maliciously exploited.
Technical support channels:
None
Security Advisory Version Revision Information:
IPC is updated starting from version C1.2 .
FAQs:
None