← Back
2025-12-24 19:27CVE-2019-25240VulnCheck
PUBLISHED5.2CWE-306

Rifatron 5brid DVR 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) Unauthenticated Live Stream Disclosure via animate.cgi

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication.

Problem type

Affected products

Rifatron Co., Ltd.

DVR

5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) - AFFECTED

7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2) - AFFECTED

Firmware: <=8.0 (000143) - AFFECTED

References

ExploitDB-47368

https://www.exploit-db.com/exploits/47368

exploit
Rifatron Official Product Homepage

http://www.rifatron.com

product
Zero Science Lab Disclosure (ZSL-2019-5532)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php

third-party-advisory

GitHub Security Advisories

GHSA-x3j6-h5jv-f97w

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that...

https://github.com/advisories/GHSA-x3j6-h5jv-f97w

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25240

exploit-db.com

https://www.exploit-db.com/exploits/47368

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php

rifatron.com

http://www.rifatron.com

github.com

https://github.com/advisories/GHSA-x3j6-h5jv-f97w

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25240
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25240",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:23:25.132Z",
    "dateReserved": "2025-12-24T14:27:12.476Z",
    "datePublished": "2025-12-24T19:27:57.698Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:27:57.698Z"
      },
      "datePublic": "2019-09-03T00:00:00.000Z",
      "title": "Rifatron 5brid DVR 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) Unauthenticated Live Stream Disclosure via animate.cgi",
      "descriptions": [
        {
          "lang": "en",
          "value": "Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication."
        }
      ],
      "affected": [
        {
          "vendor": "Rifatron Co., Ltd.",
          "product": "DVR",
          "versions": [
            {
              "version": "5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)",
              "status": "affected"
            },
            {
              "version": "7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)",
              "status": "affected"
            },
            {
              "version": "Firmware: <=8.0 (000143)",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Missing Authentication for Critical Function",
              "cweId": "CWE-306",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/47368",
          "name": "ExploitDB-47368",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "http://www.rifatron.com",
          "name": "Rifatron Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php",
          "name": "Zero Science Lab Disclosure (ZSL-2019-5532)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:23:25.132Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php",
            "tags": [
              "exploit"
            ]
          },
          {
            "url": "https://www.exploit-db.com/exploits/47368",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}