CISA issues alert on authentication flaws in iCam365 P201 and QC021 cameras

Security flaws have been identified in iCam365's P201 and QC021 camera models, involving the absence of authentication controls on critical functions which could lead to unauthorized data access.

The vulnerabilities have been assigned the identifiers CVE-2025-64770 and CVE-2025-62674. The P201 and QC021 models, up to firmware version 43.4.0.0, permit unauthenticated access to Open Network Video Interface Forum (ONVIF) services and Real Time Streaming Protocol (RTSP) services. This flaw allows attackers to access camera configuration details without proper authentication. Both issues share the Common Weakness Enumeration designation CWE-306, “Missing Authentication for Critical Function.” The Common Vulnerability Scoring System (CVSS) version 3.1 base score for each vulnerability is 6.8, and the CVSS version 4.0 base score is 7.0, with vectors Antivirus Software (AV):A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L for version 3.1 and AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N for version 4.0.

Exploitation of these vulnerabilities may lead to unauthorized disclosure of live video streams and configuration information of the affected cameras.

At the time of reporting, iCam365 had not responded to coordination requests regarding these vulnerabilities. Users are advised to contact iCam365 directly for further updates. No public demonstrations or reports of exploitation targeting these vulnerabilities have been identified. The vulnerabilities are not exploitable remotely without network access.

Recommendations include limiting network exposure of the cameras by ensuring they are not accessible via the Internet and positioning them behind firewalls separated from business networks. When remote access is required, the use of secure methods such as Virtual Private Networks (VPNs) is advised, acknowledging that VPNs require maintenance and updates to remain secure and their security depends on the connected devices.

Organizations are encouraged to conduct appropriate impact assessments and risk evaluations before deploying any defensive measures. Additional advisory resources and recommended practices for industrial control systems security are available through official channels, with incident reporting procedures established for suspected malicious activities associated with these vulnerabilities.