Critical authentication bypass vulnerability discovered in multiple India-based CCTV camera systems

CISA is reporting a critical authentication vulnerability affecting CCTV cameras deployed across India from three vendors: D-Link (India Limited), Sparsh Securitech, and Securus CCTV. 

The vulnerability is tracked as CVE-2025-13607 (CVSS score 9.4), is a Missing Authentication for Critical Function flaw that allows malicious actors to access camera configuration information and account credentials without any authentication when accessing a vulnerable URL.

The confirmed affected product is the D-Link DCS-F5614-L1 CCTV camera running firmware versions v1.03.038 and prior. D-Link has been confirmed as the affected vendor with specific model information but Sparsh Securitech and Securus CCTV also market similar India-based camera products that may be vulnerable. 

D-Link has released a security advisory and software update for the affected DCS-F5614-L1 camera model. The company strongly urges all users to install the relevant firmware updates immediately and regularly check for further security patches. After downloading and applying the software update, it is essential for administrators to validate the installation's success by comparing the software version displayed on the product interface to the software update version number. Users can access D-Link's official security announcement and download the patched firmware through the company's security advisory portal. 

The other vendors did not respond to CISA's coordination requests. Organizations using cameras from the non-responding vendors should each out directly to their respective customer service representatives to determine if their specific camera models are affected and what mitigation options are available.

CISA recommends minimizing network exposure for all control system devices to ensure they are not accessible from the internet.