iSeeQ Hybrid DVR WH-H4 1.03R Unauthenticated Live Stream Disclosure

Advisories

severity: high
date: December 24, 2025
Affecting: Hybrid DVR WH-H4 1.03R, 2.0.0.P
CVE: CVE-2019-25236
CWE: CWE-306 Missing Authentication for Critical Function
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-47562
iSeeQ Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5539)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.