Skip to main content
CVE Vulnerability Database

CVE-2025-9983: GALAYOU G2 Camera Auth Bypass Vulnerability

CVE-2025-9983 is an authentication bypass flaw in GALAYOU G2 cameras allowing unauthorized access to RTSP video streams despite credential protection. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-9983 Overview

CVE-2025-9983 affects GALAYOU G2 cameras that stream video output over the Real Time Streaming Protocol (RTSP). The camera generates random credentials to protect RTSP streams by default. However, these credentials are not enforced, and the device serves the stream to any unauthenticated client on the adjacent network. Changing the credential values does not change camera behavior. Only firmware version 11.100001.01.28 was tested, but other versions may also be affected. The vendor did not respond to disclosure attempts. The flaw is classified as Missing Authentication for Critical Function [CWE-306].

Critical Impact

Any attacker on the adjacent network can capture live video from affected GALAYOU G2 cameras without supplying credentials.

Affected Products

  • GALAYOU G2 camera firmware version 11.100001.01.28
  • Other GALAYOU G2 firmware versions (untested, potentially vulnerable)
  • Deployments exposing the RTSP service to adjacent networks

Discovery Timeline

  • 2025-09-22 - CVE-2025-9983 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2025-9983

Vulnerability Analysis

The GALAYOU G2 camera exposes an RTSP service used to deliver live video. The device generates random credentials and presents them in the management interface, suggesting clients must authenticate before retrieving the stream. In practice the RTSP server does not validate the supplied credentials. A client connecting without any authentication header receives the same video stream as an authorized user. Modifying the credentials in the camera configuration produces no change in server behavior, indicating the authentication routine is either missing or short-circuited at the firmware level.

Root Cause

The root cause is Missing Authentication for Critical Function [CWE-306]. The RTSP service treats authentication as advisory rather than mandatory. Credentials are stored and displayed but never enforced during the DESCRIBE, SETUP, or PLAY request handling. This design flaw cannot be remediated through configuration changes alone.

Attack Vector

The attack requires logical adjacency to the camera, such as the same Wi-Fi segment or a routed internal network reachable from the camera. An attacker scans for open RTSP ports (typically TCP 554), issues a standard RTSP DESCRIBE request against the discovered stream URL, and retrieves the session description. The attacker then issues SETUP and PLAY to begin receiving the H.264 video payload without ever submitting credentials. Standard tools such as ffmpeg or vlc reproduce the attack using only the camera IP address and stream path.

No verified exploit code is published. See the CERT Polska advisory for CVE-2025-9983 for technical details.

Detection Methods for CVE-2025-9983

Indicators of Compromise

  • Unexpected RTSP sessions (TCP 554) originating from devices that do not normally consume camera streams
  • Repeated DESCRIBE, SETUP, and PLAY requests from a single source without preceding authentication exchanges
  • Sustained outbound bandwidth from GALAYOU G2 cameras to unfamiliar internal hosts

Detection Strategies

  • Inspect network flows for RTSP connections to camera IP addresses that lack a corresponding Authorization header in packet captures
  • Correlate camera client lists against approved video management system (VMS) endpoints and alert on deviations
  • Run periodic unauthenticated RTSP probes from a controlled host to confirm whether the stream remains open

Monitoring Recommendations

  • Log all RTSP control-channel traffic at the network segment boundary for retention and forensic review
  • Alert on any RTSP session sourced from a non-VMS subnet or guest Wi-Fi range
  • Monitor camera firmware version inventory and flag devices running 11.100001.01.28 or any version not validated against this advisory

How to Mitigate CVE-2025-9983

Immediate Actions Required

  • Isolate GALAYOU G2 cameras on a dedicated VLAN that blocks lateral access from user and guest networks
  • Restrict inbound RTSP (TCP 554) to the IP addresses of authorized video management systems only
  • Treat any captured stream content as exposed and review whether the camera placement remains acceptable

Patch Information

No vendor patch is available. The vendor did not respond to disclosure. Operators should consider replacing affected cameras with devices from a vendor that enforces RTSP authentication. Refer to the CERT Polska advisory for CVE-2025-9983 and the GALAYOU G2 product page for additional product context.

Workarounds

  • Place cameras behind a reverse RTSP proxy that enforces authentication before forwarding requests to the device
  • Use firewall rules to drop all RTSP traffic from sources other than the approved VMS
  • Disable RTSP entirely on the device if the deployment can rely on the vendor cloud or alternate transport
  • Avoid deploying these cameras in areas where captured footage would create privacy or operational risk

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.