CVE-2026-35903: MERCURY IP Camera Auth Bypass Flaw

CVE-2026-35903 Overview

CVE-2026-35903 is an improper authentication vulnerability (CWE-287) affecting the MERCURY MIPC252W IP camera firmware version 1.0.5 Build 230306 Rel.79931n. The vulnerability exists in the device's RTSP (Real Time Streaming Protocol) service, where session authentication is improperly validated after the initial Digest authentication handshake. This flaw allows attackers with network access to bypass authentication and execute unauthorized RTSP control commands by reusing session parameters from a previously authenticated session.

Critical Impact

Network attackers can bypass authentication on the RTSP service to issue unauthorized control commands (SETUP, PLAY, TEARDOWN), potentially gaining full control over the camera's video streaming capabilities without valid credentials.

Affected Products

• MERCURY MIPC252W IP Camera - Firmware version 1.0.5 Build 230306 Rel.79931n

Discovery Timeline

• 2026-04-27 - CVE-2026-35903 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-35903

Vulnerability Analysis

The vulnerability stems from a fundamental flaw in how the MERCURY MIPC252W IP camera handles RTSP session authentication. The device implements HTTP Digest authentication for initial RTSP DESCRIBE requests, which is a standard security mechanism for protecting streaming resources. However, after a client successfully completes the initial Digest authentication challenge-response, the device fails to properly validate subsequent Authorization headers within the same RTSP session.

Specifically, once a session is established with a valid nonce and session identifier, the camera does not verify that the response parameter in the Digest Authorization header contains a valid cryptographic hash. This means an attacker can submit RTSP requests with an empty or completely invalid response value, and the device will still process the request as long as the nonce and session identifier match those from a previously authenticated session.

This authentication bypass allows attackers to manipulate camera streaming operations, potentially enabling surveillance interception, denial of service through stream termination, or integration into larger attack chains targeting network infrastructure.

Root Cause

The root cause is improper authentication validation in the RTSP service's session management logic. After the initial DESCRIBE request establishes a session, the authentication middleware only checks for the presence of session-related parameters (nonce, session ID) but fails to cryptographically verify the Digest response field. This violates the fundamental principle of Digest authentication where every request must include a valid response hash computed from the shared secret.

Attack Vector

The attack exploits the RTSP service accessible over the network. An attacker can execute this attack by:

1. Intercepting or observing a legitimate RTSP session's nonce and session identifier (via network sniffing or through an initial authentication attempt)
2. Crafting subsequent RTSP requests (SETUP, PLAY, TEARDOWN) with the captured nonce and session ID
3. Submitting an empty or arbitrary value for the response parameter in the Authorization header
4. The camera accepts these malformed requests, allowing the attacker to control video streaming operations

The vulnerability can be exploited without any user interaction and requires only network access to the device's RTSP service port. Technical details and proof-of-concept information can be found in the GitHub PoC Repository.

Detection Methods for CVE-2026-35903

Indicators of Compromise

• RTSP requests containing Authorization headers with empty or malformed response parameter values
• Multiple RTSP control commands (SETUP, PLAY, TEARDOWN) from sources that did not complete full Digest authentication
• Unusual session reuse patterns where nonce values appear in requests from different source IP addresses
• Rapid succession of RTSP method calls without corresponding valid authentication exchanges

Detection Strategies

• Deploy network monitoring to inspect RTSP traffic (typically port 554) for malformed Digest Authorization headers
• Implement IDS/IPS rules to flag RTSP requests where the Authorization header's response field is empty or contains obviously invalid values
• Monitor for session parameter reuse across different source addresses or abnormal time intervals
• Audit RTSP service logs for authentication anomalies or unexpected command sequences

Monitoring Recommendations

• Enable verbose logging on network security appliances for RTSP protocol traffic
• Configure alerts for any RTSP SETUP, PLAY, or TEARDOWN requests that fail Digest authentication validation
• Monitor for unauthorized access attempts to IP camera streams on your network
• Implement network segmentation alerts for IoT devices attempting unusual outbound connections

How to Mitigate CVE-2026-35903

Immediate Actions Required

• Isolate affected MERCURY MIPC252W cameras from untrusted network segments immediately
• Restrict network access to the RTSP service (typically port 554) using firewall rules to trusted IP addresses only
• Implement VPN or other secure tunneling for remote camera access
• Monitor all RTSP traffic to affected devices for signs of exploitation

Patch Information

No vendor security patch has been published at this time. Monitor MERCURY's official support channels and the GitHub PoC Repository for updates on remediation guidance.

Workarounds

• Place affected cameras on an isolated network segment (VLAN) with strict access controls
• Disable RTSP service if not required for your use case, or restrict access via firewall rules
• Implement a reverse proxy with proper authentication validation in front of the RTSP service
• Consider replacing vulnerable devices with cameras from vendors that have demonstrated timely security patching practices
• Enable network-level authentication (802.1X) to limit device access to authorized users only