CVE-2026-35902 Overview
CVE-2026-35902 is a Denial of Service vulnerability affecting the RTSP (Real Time Streaming Protocol) service of MERCURY IP camera model MIPC252W running firmware version 1.0.5 Build 230306. The vulnerability exists in how the device handles failed Digest authentication attempts, allowing an unauthenticated attacker to force the RTSP service into a persistent authentication failure state that prevents legitimate clients from accessing the camera feed.
Critical Impact
Unauthenticated attackers can completely disable RTSP video streaming capabilities on affected MERCURY IP cameras by flooding the service with invalid authentication requests, resulting in denial of service for all legitimate users.
Affected Products
- MERCURY IP Camera MIPC252W
- Firmware Version 1.0.5 Build 230306
Discovery Timeline
- 2026-04-27 - CVE-2026-35902 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-35902
Vulnerability Analysis
This vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), which describes a weakness where a system does not implement sufficient measures to prevent brute force or repeated authentication attempts. In this case, the MERCURY MIPC252W IP camera's RTSP service fails to properly handle consecutive failed Digest authentication attempts.
The RTSP service becomes overwhelmed when processing repeated requests with invalid authentication parameters. Rather than implementing rate limiting, account lockout, or connection throttling mechanisms, the service enters an unstable state where it can no longer process any authentication requests—including legitimate ones. This design flaw allows remote attackers to effectively lock out all users from the camera's video streaming functionality.
The attack is particularly concerning because it requires no prior authentication or special access. Any attacker with network access to the camera's RTSP port can trigger the denial of service condition simply by repeatedly sending malformed authentication requests.
Root Cause
The root cause of this vulnerability is the absence of proper rate limiting and authentication attempt tracking in the RTSP service implementation. The firmware does not implement protective mechanisms such as:
- Maximum authentication attempt thresholds
- Exponential backoff after failed attempts
- IP-based blocking for repeated failures
- Connection state cleanup after authentication failures
This allows the authentication state machine to become corrupted or resource-exhausted when flooded with invalid requests.
Attack Vector
The attack leverages the local network attack surface (though RTSP services are often exposed on local networks). An attacker sends a continuous stream of RTSP DESCRIBE or SETUP requests with malformed or invalid Digest authentication credentials to the camera's RTSP service port (typically port 554).
The vulnerability is triggered through the following attack pattern:
- The attacker identifies a MERCURY MIPC252W camera on the network
- The attacker initiates multiple RTSP connections to the camera's streaming endpoint
- For each connection, the attacker provides invalid Digest authentication parameters
- The RTSP service fails to properly handle the authentication failures
- After sufficient failed attempts, the service enters a persistent failure state
- Legitimate users can no longer authenticate to access the video stream
For technical details about the exploitation methodology, refer to the CVE reference documentation on GitHub.
Detection Methods for CVE-2026-35902
Indicators of Compromise
- Abnormally high number of RTSP connection attempts from a single source IP address
- Repeated authentication failures in RTSP service logs within short time windows
- RTSP service becoming unresponsive while other camera services remain functional
- Network traffic analysis showing sustained RTSP requests with malformed headers
Detection Strategies
- Monitor RTSP service availability and alert on unexpected service interruptions
- Implement network-based intrusion detection rules to identify RTSP authentication flood patterns
- Deploy traffic analysis to detect anomalous connection rates to port 554
- Configure SIEM rules to correlate multiple authentication failures from single sources
Monitoring Recommendations
- Establish baseline metrics for normal RTSP authentication traffic patterns
- Set up real-time alerting for authentication failure rate spikes
- Monitor camera availability through periodic health checks
- Implement network flow analysis for IoT device segments
How to Mitigate CVE-2026-35902
Immediate Actions Required
- Isolate affected MERCURY MIPC252W cameras on a separate network segment with restricted access
- Implement network-level rate limiting for RTSP traffic to the camera
- Deploy firewall rules to restrict RTSP access to known, trusted IP addresses only
- Consider temporarily disabling RTSP if the feature is not essential to operations
Patch Information
At the time of publication, no official patch has been released by MERCURY for this vulnerability. Users should monitor the manufacturer's support channels for firmware updates addressing this issue. The vulnerability was documented in a public CVE reference.
Workarounds
- Implement network segmentation to isolate IP cameras from untrusted network zones
- Use a VPN or secure tunnel for remote RTSP access instead of direct exposure
- Deploy an RTSP proxy that implements connection rate limiting and authentication attempt throttling
- Consider replacing affected devices with cameras that have more robust authentication handling
# Example iptables rate limiting for RTSP port
# Limit new RTSP connections to 5 per minute per source IP
iptables -A INPUT -p tcp --dport 554 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 554 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
