cbcvebase.
CVE-2013-4985
published 2019-12-27

CVE-2013-4985: Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream

PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
8.97%
94.6th percentile
Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream

Affected

6 ranges
VendorProductVersion rangeFixed in
vivotekip7160_firmware
vivotekip7160_firmware
vivotekip7361_firmware
vivotekip7361_firmware
vivotekip8332_firmware
vivotekip8332_firmware

Detection & IOCsextracted from sources · hover to see the quote

port554
urlrtsp://localhost:9999/live.sdp
otherAuthorization: Basic a
path/live.sdp
  • Detect RTSP authentication bypass attempts by monitoring for RTSP DESCRIBE requests on TCP port 554 where the Authorization header contains a single-character Base64 token (e.g., 'Authorization: Basic a'), indicating a spoofed/minimal credential used to bypass basic auth.
  • Monitor for RTSP traffic (TCP port 554) targeting Vivotek IP cameras (IP7160, IP7361, IP8332) with firmware versions 0105a or 0105b, particularly DESCRIBE requests to the /live.sdp resource.
  • Alert on RTSP sessions where a 401 Unauthorized response is followed immediately by a subsequent DESCRIBE request bearing a trivially short or invalid Authorization: Basic value, as the PoC intercepts and replaces the credential with a single character.
  • Consider filtering or alerting on all inbound RTSP traffic (default port 554) from untrusted/internet-facing sources targeting Vivotek camera endpoints.
  • ·The vulnerability only applies when RTSP basic authentication is explicitly enabled on the camera; the vendor noted that RTSP authentication is disabled by default, meaning default-configured cameras may not be directly exploitable via this bypass but are still unauthenticated.
  • ·Affected firmware versions are 0105a and 0105b; the vendor released beta firmware 0301c as the fix. Cameras not yet patched to 0301c or later remain vulnerable.
  • ·The PoC acts as a TCP proxy/tunnel that rewrites the Authorization header in-flight; detection must therefore account for man-in-the-middle proxy scenarios and not solely rely on direct camera traffic inspection.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.