CVE-2025-9983 Overview
CVE-2025-9983 affects GALAYOU G2 cameras that stream video output over the Real Time Streaming Protocol (RTSP). The camera generates random credentials to protect RTSP streams by default. However, these credentials are not enforced, and the device serves the stream to any unauthenticated client on the adjacent network. Changing the credential values does not change camera behavior. Only firmware version 11.100001.01.28 was tested, but other versions may also be affected. The vendor did not respond to disclosure attempts. The flaw is classified as Missing Authentication for Critical Function [CWE-306].
Critical Impact
Any attacker on the adjacent network can capture live video from affected GALAYOU G2 cameras without supplying credentials.
Affected Products
- GALAYOU G2 camera firmware version 11.100001.01.28
- Other GALAYOU G2 firmware versions (untested, potentially vulnerable)
- Deployments exposing the RTSP service to adjacent networks
Discovery Timeline
- 2025-09-22 - CVE-2025-9983 published to the National Vulnerability Database
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-9983
Vulnerability Analysis
The GALAYOU G2 camera exposes an RTSP service used to deliver live video. The device generates random credentials and presents them in the management interface, suggesting clients must authenticate before retrieving the stream. In practice the RTSP server does not validate the supplied credentials. A client connecting without any authentication header receives the same video stream as an authorized user. Modifying the credentials in the camera configuration produces no change in server behavior, indicating the authentication routine is either missing or short-circuited at the firmware level.
Root Cause
The root cause is Missing Authentication for Critical Function [CWE-306]. The RTSP service treats authentication as advisory rather than mandatory. Credentials are stored and displayed but never enforced during the DESCRIBE, SETUP, or PLAY request handling. This design flaw cannot be remediated through configuration changes alone.
Attack Vector
The attack requires logical adjacency to the camera, such as the same Wi-Fi segment or a routed internal network reachable from the camera. An attacker scans for open RTSP ports (typically TCP 554), issues a standard RTSP DESCRIBE request against the discovered stream URL, and retrieves the session description. The attacker then issues SETUP and PLAY to begin receiving the H.264 video payload without ever submitting credentials. Standard tools such as ffmpeg or vlc reproduce the attack using only the camera IP address and stream path.
No verified exploit code is published. See the CERT Polska advisory for CVE-2025-9983 for technical details.
Detection Methods for CVE-2025-9983
Indicators of Compromise
- Unexpected RTSP sessions (TCP 554) originating from devices that do not normally consume camera streams
- Repeated DESCRIBE, SETUP, and PLAY requests from a single source without preceding authentication exchanges
- Sustained outbound bandwidth from GALAYOU G2 cameras to unfamiliar internal hosts
Detection Strategies
- Inspect network flows for RTSP connections to camera IP addresses that lack a corresponding Authorization header in packet captures
- Correlate camera client lists against approved video management system (VMS) endpoints and alert on deviations
- Run periodic unauthenticated RTSP probes from a controlled host to confirm whether the stream remains open
Monitoring Recommendations
- Log all RTSP control-channel traffic at the network segment boundary for retention and forensic review
- Alert on any RTSP session sourced from a non-VMS subnet or guest Wi-Fi range
- Monitor camera firmware version inventory and flag devices running 11.100001.01.28 or any version not validated against this advisory
How to Mitigate CVE-2025-9983
Immediate Actions Required
- Isolate GALAYOU G2 cameras on a dedicated VLAN that blocks lateral access from user and guest networks
- Restrict inbound RTSP (TCP 554) to the IP addresses of authorized video management systems only
- Treat any captured stream content as exposed and review whether the camera placement remains acceptable
Patch Information
No vendor patch is available. The vendor did not respond to disclosure. Operators should consider replacing affected cameras with devices from a vendor that enforces RTSP authentication. Refer to the CERT Polska advisory for CVE-2025-9983 and the GALAYOU G2 product page for additional product context.
Workarounds
- Place cameras behind a reverse RTSP proxy that enforces authentication before forwarding requests to the device
- Use firewall rules to drop all RTSP traffic from sources other than the approved VMS
- Disable RTSP entirely on the device if the deployment can rely on the vendor cloud or alternate transport
- Avoid deploying these cameras in areas where captured footage would create privacy or operational risk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

