CVE-2026-35903 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 28, 2026
MERCURY MIPC252W - Authentication Bypass
Published: April 27, 2026Updated: April 28, 2026Remote Exploitable
Overview
MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service caused by lack of verification of Digest response in subsequent requests, letting attackers with network access issue unauthorized RTSP commands by reusing session parameters, exploit requires network access to a previously authenticated session.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can issue unauthorized RTSP control commands, potentially allowing control over the device's streaming functions.
Mitigation
Update to the latest firmware version that patches this vulnerability.
Related Resources
Details
- CVE ID
- CVE-2026-35903
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- unconfirmed
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H