What is CVE-2025-12108?

CVE-2025-12108 is a critical security vulnerability with a CVSS score of 9.8 affecting Survision License Plate Recognition cameras. It is a security oversight in the system's default configuration where the Survision LPR Camera system does not enforce password protection by default, allowing immediate access to the configuration wizard without any login prompt or credentials check.

Which versions of Survision LPR cameras are affected?

All versions of the Survision License Plate Recognition LPR Camera prior to firmware version 3.5 are affected by CVE-2025-12108. Users should update to firmware version 3.5 or later to address the vulnerability.

What network security measures should be taken for Survision LPR cameras?

These LPR camera systems should be isolated from the internet and made accessible only from trusted networks. This is a standard security practice that helps prevent unauthorized access and reduces the attack surface for critical infrastructure devices like license plate recognition cameras.

What risks do compromised LPR cameras pose to facility operations?

Compromised LPR cameras can lead to unauthorized modification of access control lists that determine which vehicles are granted entry, disruption of parking or tolling operations resulting in revenue loss, theft of sensitive vehicle movement data and personal information, and the use of compromised systems as pivot points for broader network attacks on facility infrastructure.

What is the severity level of CVE-2025-12108?

CVE-2025-12108 has a CVSS score of 9.8, which is classified as critical severity. This high rating reflects the ease of exploitation (no authentication required) and the significant potential impact on security, operations, and data privacy.

What authentication methods does Survision recommend for LPR cameras?

Survision recommends enabling configuration password authentication by defining users and roles with minimal rights in the user management system. Additionally, where possible, organizations should enforce client certificate authentication for an additional security layer. For older versions, activating the lock password feature in security parameters is recommended as an interim measure.

Advisory

Critical authentication flaw reported in Survision license plate recognition cameras

Q: Has Survision patched the LPR camera vulnerability?

Yes, Survision has addressed the vulnerability in firmware version 3.5. The company strongly recommends that all users immediately update to firmware version 3.5 or later to protect their LPR camera systems from exploitation.

Q: What should organizations do after updating Survision LPR cameras to firmware 3.5?

For organizations running the updated firmware version 3.5 or later, Survision recommends enabling configuration password authentication by defining users and roles with minimal rights in the user management system, and where possible, enforcing client certificate authentication for additional security layers.

Q: What should organizations do if they cannot immediately upgrade Survision LPR cameras?

For organizations still operating on versions prior to 3.5 who cannot immediately upgrade, Survision recommends activating the lock password feature in the security parameters as an interim measure, and where possible, enforcing client certificate authentication. Organizations should contact Survision directly for detailed guidance on implementing these temporary protections.

Q: What is the cause of the Survision LPR camera vulnerability?

The vulnerability is caused by a security oversight in the system's default configuration. The Survision LPR Camera system does not enforce password protection by default, allowing immediate access to the configuration wizard without any login prompt or credentials check, making it possible for attackers to gain complete unauthorized access.

published: Nov. 4, 2025

Take action: If you use Survision License Plate Recognition (LPR) cameras, first make sure they are isolated from the internet. Then update ASAP to firmware version 3.5, since the cameras are by default open to unauthorized access without any password. Until you update, contact the vendor for instructions to enable the "lock" password feature in security parameters.

Learn More

CISA is reporting a critical security vulnerability affecting Survision License Plate Recognition (LPR) cameras that allows attackers to gain complete unauthorized access to the camera systems without authentication.

The flaw is tracked as CVE-2025-12108 (CVSS score 9.8), is a security oversight in the system's default configuration. The Survision LPR Camera system does not enforce password protection by default, allowing immediate access to the configuration wizard without any login prompt or credentials check. The potential impact includes unauthorized modification of camera configurations, tampering with license plate recognition settings and databases, manipulation of access control lists that determine which vehicles are granted entry, disruption of parking or tolling operations leading to revenue loss, theft of sensitive vehicle movement data and personal information, and deployment of the compromised systems as pivot points for broader network attacks on facility infrastructure.

Affected versions are all versions of the License Plate Recognition LPR Camera prior to firmware version 3.5.

Survision strongly recommends that all users immediately update to firmware version 3.5 or later. For organizations running the updated firmware, Survision recommends enabling configuration password authentication by defining users and roles with minimal rights in the user management system, and where possible, enforcing client certificate authentication for additional security layers.

For organizations still operating on previous versions (prior to v3.5) who can't immediately upgrade, Survision recommends activating the "lock" password feature in the security parameters as an interim measure, and where possible, enforcing client certificate authentication. Organizations should contact Survision directly for detailed guidance on implementing these temporary protections.

As usual, these systems should be isolated from the internet and accessible from only from trusted networks.

Critical authentication flaw reported in Survision license plate recognition cameras

Read More
ABB reports three critical flaws in FLXEON Controllers
Researchers investigate Industrial MMS Protocol Libraries, find old …
Multiple vulnerabilities reported in Inaba Denki Sangyo CHOCO …
Moxa reports critical flaw affecting EDS-508A Ethernet switches
AutomationDirect reports critical security vulnerability in C-more EA9 …