Critical

ICAM365 CCTV Camera Multiple Models

All CISA Advisories

Overview

The iCam365 CCTV camera models P201 and QC021 have been identified with critical vulnerabilities allowing unauthorized access to camera video streams and configuration data due to missing authentication for ONVIF and RTSP services. The vulnerabilities carry a CVSS v4 score of 7.0, indicating a significant risk that requires immediate attention and mitigation.

Key Takeaways

  • Affected Systems: Affected products include iCam365 ROBOT PT Camera P201 (Versions 43.4.0.0 and prior) and Night Vision Camera QC021 (Versions 43.4.0.0 and prior). Vendor: iCam365.
  • Action Required: CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet.
  • Timeline: Disclosed on November 20, 2025

Original Article Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: iCam365 Equipment: P201 and QC021 Vulnerabilities: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in unauthorized exposure of camera video streams and camera configuration data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following iCam365 camera model is affected: ROBOT PT Camera P201: Versions 43.4.0.0 and prior Night Vision Camera QC021: Versions 43.4.0.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Missing Authentication for Critical Function CWE-306 The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information. CVE-2025-64770 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L). A CVSS v4 score has also been calculated for CVE-2025-64770. A base score of 7.0 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N). 3.2.2 Missing Authentication for Critical Function CWE-306 The affected product allows unauthenticated access to Real Time Streaming Protocol (RTSP) services, which may allow an attacker unauthorized access to camera configuration information. CVE-2025-62674 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L). A CVSS v4 score has also been calculated for CVE-2025-62674. A base score of 7.0 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: China 3.4 RESEARCHER Truong Nguyen Long reported these vulnerabilities to CISA. 4. MITIGATIONS iCam365 did not respond to CISA's request for coordination. Contact iCam365 directly for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPNs are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. 5. UPDATE HISTORY November 20, 2025: Initial Publication

Impact

Affected products include iCam365 ROBOT PT Camera P201 (Versions 43.4.0.0 and prior) and Night Vision Camera QC021 (Versions 43.4.0.0 and prior). Vendor: iCam365.

Exploitation Status

No active exploitation has been reported at this time. However, organizations should still apply patches promptly as proof-of-concept code may exist.

Timeline

Disclosed on November 20, 2025

Remediation

CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet. Control system networks and remote devices should be located behind firewalls and isolated from business networks. When remote access is necessary, use secure methods like Virtual Private Networks (VPNs). Organizations should perform proper impact analysis and risk assessment prior to deploying defensive measures. Additional guidance is available on the CISA ICS webpage.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Vulnerability, Update, and 1 more.

Related Coverage

23andMe to pay $18 million in new genetics data breach settlement

BleepingComputer

23andMe, the genetic testing company, has agreed to pay $18 million to settle a lawsuit filed by a coalition of 43 attorneys general. The lawsuit claimed that 23andMe failed to adequately protect its customers' genetic data, putting sensitive information at risk. This settlement comes as part of a broader push for companies to prioritize data security, especially when handling personal genetic information. Customers who used 23andMe's services are particularly affected, as their genetic data could have been exposed. The situation raises significant concerns about privacy and the responsibilities of companies in safeguarding sensitive health information.

Jul 16, 2026

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

The Hacker News

Cybersecurity experts have identified a new malware named TELEPUZ that has been spreading since late April 2026 through compromised websites using ClickFix lures. This modular malware is designed to steal data and execute commands on infected systems. Researchers from Elastic Security Labs note that while the number of command-and-control domains associated with TELEPUZ is currently limited, its capabilities raise significant concerns for users and organizations. The lightweight nature of the malware makes it particularly dangerous, as it can easily evade detection. Users visiting infected sites are at risk, making it crucial for individuals and companies to remain vigilant about their online activities and security practices.

Jul 16, 2026

New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

The Hacker News

A new piece of malware known as ClickLock Stealer is targeting macOS users by forcing them to input their login passwords. This infostealer operates by running a command in the Terminal that creates a fake system dialog asking for the password. If the victim cancels this request, the malware repeatedly kills various applications—including Finder and Terminal—every 210 milliseconds until the password is provided. Once the victim logs in again, the malware installs two LaunchAgents, allowing it to operate silently in the background. This type of attack is particularly concerning as it manipulates user behavior to extract sensitive information, highlighting the need for users to be cautious about unexpected prompts and commands.

Jul 16, 2026

20+ Hijacked Government Websites Became
an Attack Channel

The Hacker News

Over 20 Brazilian government websites have been hijacked as part of a campaign by a group known as PhantomEnigma. These sites were repurposed to deliver malware, which poses a significant risk to users who visit them. Researchers from ANY.RUN discovered previously unknown backdoor tactics and complex relationships within the cybercriminal infrastructure involved. This incident not only affects the integrity of government websites but also puts the data and security of users at risk, highlighting the ongoing challenges in protecting public digital resources. It serves as a reminder for both users and government agencies to remain vigilant against such attacks.

Jul 16, 2026

Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

The Hacker News

Daxin, an advanced malware linked to a Chinese threat actor, has been detected again after a four-year gap, this time within a manufacturing firm in Taiwan. This kernel-mode rootkit, identified as 'srt64.sys', was first reported by Symantec in March 2022. Alongside Daxin, researchers have also discovered a new backdoor called Stupig, which has not been previously documented. The resurgence of Daxin raises concerns about targeted attacks on critical infrastructure, particularly in sectors like manufacturing that are vital to the economy. Organizations in Taiwan and similar industries need to be vigilant and reassess their cybersecurity measures to protect against these sophisticated threats.

Jul 16, 2026

CISA orders feds to patch actively exploited Oracle flaw by Saturday

BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies address a serious vulnerability in the Oracle E-Business Suite by Saturday. This flaw is being actively exploited in the wild, posing risks to financial operations managed through the software. Agencies are urged to take immediate action to protect their systems from potential attacks that could compromise sensitive financial data. The urgency of this directive reflects the critical nature of the vulnerability and the potential impact on government operations if left unaddressed.

Jul 16, 2026