CVE-2026-35901
published 2026-04-27CVE-2026-35901: A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by…
PriorityP417medium4.4CVSS 3.1
AVLACLPRHUINSUCNINAH
EPSS
0.25%
15.9th percentile
A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mercurycom | mipc252w_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9vv6-2fm3-vxx6: A handling issue in the RTSP service of the Mercury MIPC252W 1
ghsa_unreviewed·2026-04-27
CVE-2026-35901 [MEDIUM] CWE-400 GHSA-9vv6-2fm3-vxx6: A handling issue in the RTSP service of the Mercury MIPC252W 1
A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition.
VulDB
Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n RTSP Service denial of service
vuldb·2026-04-27·CVSS 4.4
CVE-2026-35901 [MEDIUM] Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n RTSP Service denial of service
A vulnerability described as problematic has been identified in Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n. This vulnerability affects unknown code of the component RTSP Service. The manipulation results in denial of service.
This vulnerability was named CVE-2026-35901. The attack needs to be approached locally. There is no available exploit.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-27
Published