CloudEdge Camera Flaw Exposes Millions: MQTT Wildcard and Credentials Risk
Executive Summary
In October 2025, security researchers disclosed a critical vulnerability (CVE-2025-11757) affecting CloudEdge IoT cameras and their mobile application. The flaw, caused by improper sanitization of MQTT topic inputs and the use of hard-coded credentials, allowed remote attackers to subscribe to wildcard topics and intercept sensitive messages. This gave unauthorized access to camera feeds and controls globally for any device running the vulnerable CloudEdge App v4.4.2. Neither CloudEdge nor Meari Technologies responded to official disclosure requests, leaving millions of devices worldwide potentially exposed to attack.
This incident exemplifies ongoing risks in consumer IoT, highlighting weaknesses in MQTT implementations and credential management. Similar vulnerabilities are increasingly leveraged by attackers to gain unauthorized access, disrupt operations, and compromise privacy, underscoring the pressing need for stronger IoT security regulation and vendor accountability.
Why This Matters Now
CloudEdge's vulnerability exposes the enduring risks of insecure IoT deployments, where improper protocol controls and poor credential management enable wide-scale surveillance and device takeover. With rising smart device adoption, unchecked flaws like these create urgent threats to personal privacy, critical infrastructure, and enterprise networks.
Attack Path Analysis
The attacker remotely exploited improper MQTT topic sanitization and hard-coded credentials to gain unauthorized access to the CloudEdge cloud. Using credentials obtained from MQTT messages, they escalated their privileges to control camera devices. Leveraging the trust relationships within the cloud environment, the attacker moved laterally to access additional cameras. They established outbound communication channels to maintain command and control. Sensitive camera feeds and metadata were exfiltrated over the network. Ultimately, the attacker could disrupt operations or compromise privacy by manipulating camera streams or leaking footage.
Kill Chain Progression
Initial Compromise
Description
The attacker subscribed to unsanitized MQTT topics to intercept messages containing hard-coded credentials, gaining initial unauthorized access to the cloud management and camera environment.
Related CVEs
CVE-2025-11757
CVSS 7.5The CloudEdge Cloud does not sanitize the MQTT topic input, allowing an attacker to leverage the MQTT wildcard to receive all messages intended for other users, potentially obtaining credentials and key information to connect to cameras from peer to peer.
Affected Products:
CloudEdge CloudEdge App – 4.4.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Unsecured Credentials: Credentials In Files
Valid Accounts
Network Sniffing
Remote Services: Remote Desktop Protocol
Account Discovery
Exfiltration Over Command and Control Channel
Input Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Use of Strong Authentication and Secure Credential Management
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Security Risk Management
Control ID: Article 9(2)
CISA ZTMM 2.0 – Identity Authentication and Credential Protection
Control ID: Identity Pillar - Authentication & Credential Management
NIS2 Directive – Cybersecurity Risk-management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Security/Investigations
IoT camera vulnerabilities expose hard-coded credentials and MQTT wildcards, compromising surveillance systems and enabling unauthorized access to critical security infrastructure and video feeds.
Commercial Real Estate
CloudEdge camera exploitation threatens building security systems, allowing attackers to access live video feeds and camera controls in commercial properties worldwide.
Hospitality
Hotel and resort security cameras vulnerable to remote exploitation, risking guest privacy and facility security through compromised video surveillance and unauthorized camera control.
Health Care / Life Sciences
Medical facility surveillance systems face HIPAA compliance violations and patient privacy breaches through exploitable IoT camera credentials and unencrypted MQTT communications.
Sources
- CloudEdge Online Cameras and Apphttps://www.cisa.gov/news-events/ics-advisories/icsa-25-294-05Verified
- NVD - CVE-2025-11757https://nvd.nist.gov/vuln/detail/CVE-2025-11757Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF-aligned Zero Trust segmentation, encrypted communications, strict egress controls, and real-time threat detection would have severely limited the attacker's progression after initial compromise and likely prevented lateral movement, C2, and exfiltration. Automated cloud-native policy enforcement and network/workload isolation reduce the risk of broad device access even in the presence of credential exposure.
Control: Encrypted Traffic (HPE)
Mitigation: Mitigates theft of credentials in transit and network sniffing.
Control: Zero Trust Segmentation
Mitigation: Limits access scope despite credential compromise.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized internal movement.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks malicious C2 communications.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized data exfiltration over the network.
Rapidly detects anomalous activity post-compromise.
Impact at a Glance
Affected Business Functions
- Security Monitoring
- Surveillance Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of live video feeds and unauthorized camera control, leading to privacy violations and security breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Apply zero trust segmentation and identity-based access controls to all IoT/OT and cloud workloads, isolating devices and users by function.
- • Enforce encrypted, authenticated network traffic (e.g., MACsec, IPsec) to prevent interception of sensitive data and credentials in transit.
- • Implement strict egress filtering and outbound policy enforcement to block unauthorized data flows and exfiltration attempts.
- • Deploy distributed, inline intrusion prevention and anomaly detection to monitor cloud and IoT camera environments for C2, lateral movement, and suspicious behavior.
- • Centralize multicloud and hybrid visibility for rapid detection, response, and policy management across all cloud, edge, and IoT assets.
