CVE-2025-63667

HIGH

SIMICAM KEVIEW ASECAM IP Camera Firmware - Unauthenticated Sensitive API Endpoint Access

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-63667. PoCs published by Remenis.

AI-analyzed exploit summary The repository describes an authentication bypass vulnerability (CVE-2025-63667) in Vatilon-based IP cameras, where session tokens are issued without proper credential validation, leading to unauthorized access and plaintext credential exposure. The PoC details are withheld due to abuse risk, but the writeup provides technical observations and mitigation recommendations.

Description

Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication.

Exploits (1)

nomisec WRITEUP

by Remenis · poc

https://github.com/Remenis/CVE-2025-63667

View Code ZIP pw:eip

The repository describes an authentication bypass vulnerability (CVE-2025-63667) in Vatilon-based IP cameras, where session tokens are issued without proper credential validation, leading to unauthorized access and plaintext credential exposure. The PoC details are withheld due to abuse risk, but the writeup provides technical observations and mitigation recommendations.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Vatilon-based IP cameras (SIMICAM, KEVIEW, ASECAM)

No auth needed

Prerequisites: Network access to the vulnerable IP camera

MITRE ATT&CK

T1110 - Brute Force T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://vatilon.com/

Mitigation, Third Party Advisory

https://github.com/Remenis/CVE-2025-63667

Broken Link

https://github.com/Remenis/Vatilon_evidence/releases/download/Evidence/Vatilon_vulnerability_evidence_2025.zip

Scores

CVSS v3 7.5

EPSS 0.0043

EPSS Percentile 34.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

asecam/ip_camera_firmware 1.14.10

keview/ip_camera_firmware 1.14.92

simicam/ip_camera_firmware 1.16.41

Published Nov 12, 2025

Tracked Since Feb 18, 2026