The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on December 9, 2025, warning that a specific vulnerability in several India-market IP cameras allows anyone to remotely retrieve configuration data—including live video feeds and administrator account credentials—without a password. Assigned CVE-2025-13607 with a near-maximum severity score, the flaw affects devices from D-Link (India Limited), Sparsh Securitech, and Securus CCTV, with patches already available from D-Link and Securus but not from Sparsh, which did not respond to CISA’s coordination attempts.

A Missing Authentication Gate in Everyday Surveillance Devices

The root of CVE-2025-13607 is a classic missing authentication flaw (CWE-306): a specific, unauthenticated URL endpoint on affected cameras returns a payload containing sensitive configuration details. According to the CISA advisory (ICSA-25-343-03), an attacker can simply request this endpoint and receive:

  • Administrative usernames and password hashes (or, in some cases, plaintext credentials)
  • Live stream access tokens and ONVIF/RTSP connection parameters
  • NVR pairing details and cloud relay credentials

With these secrets in hand, a bad actor can log into the camera’s web interface, view live and recorded footage, change pan/tilt/zoom presets, disable motion detection, or even push malicious firmware updates. The severity is reflected in the CVSS scores: a v3 base of 9.4 and a v4 base of 9.3, both rated Critical. The attack complexity is low, no user interaction is required, and exploitation can be automated across entire device fleets.

Who Is Affected and Who Has a Fix

The advisory lists three India-market vendors, but the confirmation status and patch availability differ sharply:

Vendor Affected Model(s) Patch Status
D-Link (India Limited) DCS-F5614-L1 (firmware v1.03.038 and earlier) ✅ Patch released. Obtain from D-Link Security Announcement SAP10462.
Securus CCTV Purple Series ✅ Patch released. Update to firmware package dated 15-12-2025.
Sparsh Securitech Not publicly specified ❌ Vendor did not respond to CISA; no fix confirmed.

For D-Link users: The D-Link security bulletin (SAP10462) provides a verified firmware update. After applying, always confirm the new version through the device’s management interface.

For Securus users: Securus has released a software update for the affected Purple Series cameras; visit their official product page and install the firmware package marked 15-12-2025.

For Sparsh users: The absence of vendor coordination means any Sparsh camera deployed in your environment should be treated as actively vulnerable. CISA advises contacting Sparsh directly ([email protected]) and evaluating the vulnerability internally. In the interim, strict network isolation is critical.

Practical Impact: From Stolen Credentials to Network Breach

The consequences of an unauthenticated configuration disclosure extend well beyond a single camera. Consider these scenarios:

  • Home users with an exposed D-Link DCS-F5614-L1 risk having family activities live-streamed to the attacker, along with any recorded footage stored on the device’s SD card or NVR.
  • Small businesses using Securus or Sparsh cameras for shop monitoring could have motion-triggered alerts disabled, effectively blinding security when it matters most.
  • Enterprise IT teams managing large fleets of surveillance cameras face a lateral-movement threat: compromised cameras often sit on the same VLAN as NVR appliances, Windows-based video management servers, and even access control systems. An attacker who steals NVR credentials can pivot deeper into the corporate network.

Windows administrators managing VMS/NVR software must be especially vigilant. Many camera management consoles run on Windows Server or Windows 10/11 workstations. A single unpatched camera can serve as a reconnaissance node, enabling an attacker to exfiltrate password databases, stored configuration files, or service account credentials used by the VMS software.

How We Got Here: The Persistent Problem of IoT Camera Flaws

Missing authentication for critical functions is not a new weakness—it has plagued IoT devices for over a decade. Surveillance cameras are particularly attractive targets because they combine network connectivity, a rich data payload, and often, a rapid time-to-market that prioritizes convenience over security. In the India market, where price-sensitive hardware and cloud-brokered remote viewing dominate, the risk multiplies.

CISA has repeatedly flagged similar vulnerabilities across brands—from Hikvision and Dahua to lesser-known OEMs rebadged for regional distribution. Common threads include:
- Unauthenticated ONVIF endpoints that expose device services
- RTSP streams with no password protection
- Cloud relay tokens harvested from device configuration pages

The current advisory underscores a market-specific ripple effect: when local resellers or vendors with limited security engineering resources do not participate in coordinated disclosure, entire device classes can remain vulnerable long after a flaw is known.

What to Do Right Now: A Practical Response Plan

Time is critical because the vulnerability is remotely exploitable and has been publicly documented. Use the following checklist, ordered by urgency (minutes to days):

1. Immediate Containment (First 24 Hours)

  • Inventory all cameras: Use network scanning tools (e.g., nmap with ONVIF probes) to identify every camera by IP, MAC, vendor, and firmware version.
  • Block inbound traffic at the perimeter: Immediately remove any port-forwarding rules for management ports (HTTP/HTTPS, ONVIF, RTSP) to prevent direct internet access.
  • Isolate camera VLANs: Move cameras to a dedicated VLAN with restrictive firewall rules and no access from general user workstations.
  • Disable unnecessary services: Temporarily turn off RTSP and ONVIF on devices where they are not required.

2. Apply Vendor Patches (Where Available)

  • D-Link DCS-F5614-L1: Download the firmware update from D-Link’s official security bulletin (SAP10462). Validate the checksum if provided, apply the update, and confirm the new version on the device interface.
  • Securus Purple Series: Visit the official Securus Purple Series product page, download the 15-12-2025 firmware package, and update.
  • Sparsh devices: No patch exists. Contact Sparsh at [email protected] and press for a timeline. Meanwhile, treat these devices as high-risk assets requiring isolation or replacement.

3. Credential Hygiene and Access Control

  • Rotate all camera passwords: Change every admin account password on affected cameras. Store unique, complex passwords in a centralized secrets manager.
  • Rotate NVR/VMS credentials: Update any integration accounts that cameras use to connect to NVRs or cloud services.
  • Restrict management access: Allow configuration changes only from hardened jump hosts with multi-factor authentication (MFA) and session recording.

4. Harden Windows-Based VMS/NVR Servers

  • Ensure all Windows servers and workstations running VMS software are fully patched (including the latest cumulative updates).
  • Use dedicated, least-privilege service accounts for VMS applications; never reuse domain admin credentials.
  • Configure Windows Firewall to allow outbound connections only to known, necessary IP addresses (especially for cloud relay functions).
  • Encrypt configuration backup files, which often contain plaintext camera credentials.
  • Enable Windows Defender Advanced Threat Protection (or equivalent EDR) and monitor for unusual process launches or network connections.

5. Logging and Detection

  • Centralize camera and NVR logs into a SIEM.
  • Add IDS/IPS rules to detect unauthenticated ONVIF discovery requests or repeated access to camera configuration endpoints.
  • Alert on any new outbound connections from the camera VLAN to unfamiliar cloud IPs.
  • For Windows hosts, look for:
  • Unexplained exports of camera configuration files.
  • New scheduled tasks related to VMS software.
  • Unusual outbound flows to cloud relay IPs from management workstations.

What Comes Next

The CISA advisory is a wake-up call for any organization deploying India-market surveillance hardware. Vendor non-response—in this case, Sparsh Securitech—is a systemic risk that demands proactive procurement policies. When purchasing new cameras, require vendors to maintain a public security bulletin program, provide signed firmware updates, and commit to coordinated vulnerability disclosure timelines.

CISA may update the advisory if Sparsh or other affected vendors release fixes. Subscribe to CISA ICS advisories and monitor the D-Link and Securus support pages for any revised firmware. Meanwhile, treat every internet-connected camera as a potential entry point, not just a passive sensor. Network segmentation, credential hygiene, and rigorous patch management are your primary defenses—because the next flaw may already be under mass exploitation.