CVE-2025-66050 PUBLISHED

No password set for administrative account in Vivotek IP7137 cameras

Assigner: CERT-PL
Reserved: 21.11.2025 Published: 09.01.2026 Updated: 09.01.2026

Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Vivotek
Product	IP7137
Versions	Default: unknown Version 0200a is affected

Credits

Szymon Paszun finder

References

https://cert.pl/posts/2026/01/CVE-2025-66049

Problem Types

CWE-1393 Use of Default Password CWE