CVE-2026-35903

Name of the Vulnerable Software and Affected Versions MERCURY MIPC252W version 1.0.5 Build 230306 Rel.79931n

Description An improper authentication issue exists in the RTSP service. Following a successful Digest authentication during an initial 'DESCRIBE' request, the device fails to verify the Digest response parameter in subsequent RTSP requests within the same session. Consequently, RTSP methods including 'SETUP', 'PLAY', and 'TEARDOWN' can be processed even if the Authorization header contains an empty or invalid response value, provided the nonce and session identifier match a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without a valid Digest response.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.