CVE-2026-12527 PUBLISHED

Assigner: Toreon
Reserved: 17.06.2026 Published: 18.06.2026 Updated: 18.06.2026

A broken authorization boundary in the RTSP media delivery pipeline of Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1_V1.0.6.020230803 enables unauthenticated network actors to bypass the device’s credential-enforced live-view workflow and directly retrieve real-time video stream data.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/V:C/U:Red
CVSS Score: 6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Shenzhen Liandian Communication Technology LTD
Product	V380 IP Camera / AppFHE1_V1.0.6.0
Versions	Default: unknown Version AppFHE1_V1.0.6.020230803 is affected

Credits

https://www.linkedin.com/in/syedaounshah/ finder
https://www.linkedin.com/in/muhammad-zubair-a2044b2b3/ analyst
https://www.linkedin.com/in/uzair-muzamil-468861231/ sponsor

References

https://github.com/AounShAh/Research-on-v380-cctv-ip-camera#broken-access-control-leading-to-critical-live-video-exposure

Problem Types

CWE-306: Missing Authentication for Critical Function CWE

Impacts

CAPEC-115: Authentication Bypass
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs