Critical Authentication Bypass in D-Link, Securus, and Sparsh CCTV Cameras
Take action: As a general rule, make sure your CCTV cameras are not accessible from the internet. Check your CCTV inventory immediately for these models and apply the available firmware updates from D-Link and Securus. If you use Sparsh cameras or cannot patch, isolate these devices, and place them behind a VPN and consider replacement
Learn More
CISA reports that multiple CCTV camera models from D-Link India, Sparsh Securitech, and Securus CCTV are vulnerable to a critical security flaw that allows unauthenticated remote access.
The vulnerability, tracked as CVE-2025-13607 (CVSS score 9.4) - a missing authentication for critical function vulnerability that allows attackers to access camera configuration files by visiting a specific URL.
An attacker can retrieve account credentials and system settings without any user interaction. This flaw effectively grants full administrative control over the device to any network-based attacker, control and access to surveillance feeds or a foothold for lateral movement within a corporate network
Affected products:
- D-Link (India Limited) DCS-F5614-L1: versions 1.03.038 and earlier
- Securus CCTV Purple Series: firmware versions dated before December 15, 2025
- Sparsh Securitech IP CCTV Cameras: all versions are currently considered affected
D-Link and Securus have released firmware updates to address the issue, and users should apply them immediately. D-Link users can find instructions in their security announcement, while Securus users should update to the firmware package dated 15-12-2025.
Because Sparsh Securitech did not respond to coordination efforts, users of their cameras should contact the vendor directly and isolate the devices from the internet using firewalls or VPNs.
