iCam365 CCTV Camera Vulnerabilities Expose Video Streams and Configuration Data in 2025
Executive Summary
In November 2025, critical vulnerabilities were disclosed affecting iCam365 CCTV camera models P201 and QC021 (versions 43.4.0.0 and prior), allowing unauthorized access to video streams and configuration data via missing authentication controls. CVE-2025-64770 and CVE-2025-62674 enable attackers present on the same network segment to exploit unauthenticated access to ONVIF and RTSP services, potentially exposing sensitive surveillance footage and device configurations across commercial facilities globally. The vulnerabilities were reported by researcher Truong Nguyen Long and published by CISA after vendor non-responsiveness.
This exposure highlights the persistent risk of IoT and security camera devices with weak or missing access controls, coinciding with broader trends of exploitation in internet-connected infrastructure. As remote surveillance soars and IoT devices proliferate, such lapses in device security increase the attack surface for organizations across industries.
Why This Matters Now
The iCam365 vulnerabilities demonstrate how overlooked IoT authentication flaws can pose a severe risk to privacy and facility security. With the rapid expansion of connected cameras in commercial environments and the lack of vendor response, there is urgent need for organizations to proactively segment, monitor, and secure their IoT deployments to prevent similar exposures.
Attack Path Analysis
An attacker discovers unauthenticated ONVIF and RTSP services exposed by ICAM365 CCTV cameras, and leverages this to gain initial access to live streams and configurations. With default or missing access controls, the attacker escalates privileges by modifying device settings or gaining broader access to other device functions. The attacker attempts lateral movement within the subnet, scanning or accessing other exposed devices. If possible, the attacker establishes command & control through persistent connections or covert channels. The attacker then exfiltrates sensitive video and configuration data, potentially streaming it externally. Ultimately, the attacker’s actions impact confidentiality and integrity, leading to privacy violations or surveillance disruption.
Kill Chain Progression
Initial Compromise
Description
Attacker connects to exposed ONVIF and RTSP services without authentication, gaining unauthorized access to camera streams and configuration interfaces.
Related CVEs
CVE-2025-64770
CVSS 6.8The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information.
Affected Products:
iCam365 ROBOT PT Camera P201 – 43.4.0.0 and prior
iCam365 Night Vision Camera QC021 – 43.4.0.0 and prior
Exploit Status:
no public exploitCVE-2025-62674
CVSS 6.8The affected product allows unauthenticated access to Real Time Streaming Protocol (RTSP) services, which may allow an attacker unauthorized access to camera configuration information.
Affected Products:
iCam365 ROBOT PT Camera P201 – 43.4.0.0 and prior
iCam365 Night Vision Camera QC021 – 43.4.0.0 and prior
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Network Sniffing
Brute Force: Password Spraying
Server Software Component
Remote Services: Remote Desktop Protocol
File and Directory Discovery
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User identification and authentication management
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Access Privileges Management
Control ID: 500.15
DORA – ICT Risk Management: Access Control
Control ID: Article 9(2)(b)
CISA ZTMM 2.0 – Enforce Strong Authentication Mechanisms
Control ID: Identity Pillar: Authentication and Access Control
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Real Estate
CCTV camera vulnerabilities expose property surveillance systems to unauthorized access, compromising tenant security and facility monitoring across commercial buildings.
Security/Investigations
Missing authentication in IoT cameras undermines security infrastructure integrity, allowing attackers to access video streams and compromise investigation capabilities.
Government Administration
Vulnerable surveillance cameras in government facilities risk unauthorized exposure of sensitive areas and potential intelligence gathering by malicious actors.
Health Care / Life Sciences
Healthcare facility camera breaches violate HIPAA compliance requirements and expose patient privacy through unauthorized access to medical facility surveillance.
Sources
- ICAM365 CCTV Camera Multiple Modelshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02Verified
- CVE-2025-64770 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-64770Verified
- CVE-2025-62674 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-62674Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, encrypted traffic, policy-based access, and centralized multicloud visibility would have prevented unauthenticated access, limited lateral movement, enabled rapid detection of anomalous activity, and enforced egress security—significantly constraining the attacker’s progression and impact.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized network access to critical camera services.
Control: Threat Detection & Anomaly Response
Mitigation: Detects suspicious configuration changes and privilege elevation attempts.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral movement between workloads and devices.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks known C2 protocols and malicious payloads.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound data transfer and exfiltration.
Enables visibility to detect and respond to abnormal impacts rapidly.
Impact at a Glance
Affected Business Functions
- Security Monitoring
- Surveillance Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Unauthorized access to live camera feeds and configuration data, potentially compromising sensitive surveillance information.
Recommended Actions
Key Takeaways & Next Steps
- • Segment IoT and cloud-connected camera networks using Zero Trust Segmentation to prevent unauthorized access.
- • Enforce strong policy controls and microsegmentation to restrict east-west and lateral device communications.
- • Implement egress filtering and monitoring to prevent unauthorized data exfiltration from sensitive devices.
- • Use inline IPS and threat detection for real-time identification and blocking of C2 channels and exploits.
- • Maintain centralized visibility and proactive anomaly detection to catch and respond to unauthorized activities quickly.
