Regarding the risk vulnerability of hardcoded credential leakage in the XM530 X6-WEQ product

2026-04-30 14:05:41

Serial No.: XM-SN-XMSRC26002

Initial Release Date: 2026-04-30

CVEID:CVE-2025-65857

Summary

Devices running version XM530V200_X6-WEQ_8M V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 has a security vulnerability. The GetStreamUri interface exposes RTSP URIs with hardcoded credentials, allowing unauthorized direct access to video streams.

Firmware Versions and Fixes

Impact

1. Devices accessed via the external network are not affected by this risk.

2. This risk only exists in the LAN environment when the ONVIF password verification of the device is not enabled.

3. Users can avoid this risk by enabling the ONVIF password verification function on the device.

  For enabling ONVIF password verification, please refer to the link：

·  https://obs-as-hk-pic-01.obs.ap-southeast-1.myhuaweicloud.com/180_Enable ONVIF password verification.docx

Vulnerability Scoring Details

Vulnerability classification has been performed using the CVSS v3 scoring system.

(http://www.first.org/cvss/specification-document)

Base Score: 8.8 (Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Obtain Device Firmware

Please contact XM technical support engineers for updates and upgrades.

Alternatively, download firmware online at:

https://obs-as-hk-pic-01.obs.ap-southeast-1.myhuaweicloud.com/180_General_IPC_XM530V200_X6-WEQ_WIFISSV6158M.6158M.Nat.OnvifS_V5.00.X02.20260430_all.bin

Revision History

2026-04-30 V1.0 Initial release