What is CVE-2026-35903?

CVE-2026-35903 is a critical-severity vulnerability in Mercurycom Mipc252w, classified under Improper Authentication. CVSS score: 9.8/10. Published 2026-04-27.

How severe is CVE-2026-35903?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Auth bypass in Mercurycom Mipc252w

CVE-2026-35903

MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest re…

Vulnerability class: Broken Authentication

EPSS: 0.000 (6.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Mercurycom Mipc252w
Mercurycom Mipc252w_firmware — versions 1.0.5
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

cve@mitre.org (Exploit, Third Party Advisory)

Frequently asked questions

What is CVE-2026-35903?: CVE-2026-35903 is a critical-severity vulnerability in Mercurycom Mipc252w, classified under Improper Authentication. CVSS score: 9.8/10. Published 2026-04-27.
How severe is CVE-2026-35903?: Critical severity. CVSS v3 base score is 9.8 out of 10.