| CVE ID | CVE-2025-53701 |
| Publication date | 23 October 2025 |
| Vendor | Vilar |
| Product | VS-IPC1002 |
| Vulnerable versions | 1.1.0.18 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-53702 |
| Publication date | 23 October 2025 |
| Vendor | Vilar |
| Product | VS-IPC1002 |
| Vulnerable versions | 1.1.0.18 |
| Vulnerability type (CWE) | Improper Handling of Exceptional Conditions (CWE-755) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in firmware of Vilar VS-IPC1002 IP cameras and participated in coordination of their disclosure.
The vulnerability CVE-2025-53701: Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-site Scripting) attacks, because parameters in GET requests sent to /cgi-bin/action endpoint are not sanitized properly, making it possible to target logged in admin users.
The vulnerability CVE-2025-53702: Vilar VS-IPC1002 IP cameras are vulnerable to DoS (Denial-of-Service) attacks. An unauthenticated attacker on the same local network might send a crafted request to /cgi-bin/action endpoint and render the device completely unresponsive. A manual restart of the device is required.
The vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.
Credits
We thank Szymon Paszun for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.