Critical path traversal vulnerability reported in Infodraw's surveillance software
Take action: If you are using Infodraw MRS systems, take them offline and request an official patch from the vendor. If taking MRA is not possible, isolate the vulnerable port from the internet via VPNs or IP restrictions to limit access. The hack is fairly easy and can be automated, so don't ignore this one.
Learn More
Security researchers from Mint Secure have uncovered a severe security vulnerability in the Media Relay Service (MRS) web server software developed by Israeli manufacturer Infodraw.
The flaw is tracked as CVE-2025-43928 (CVSS score 9.8) and is a path traversal vulnerability that affects surveillance software used by law enforcement agencies globally, including body cameras used by special forces, surveillance equipment, and police drones. The vulnerability allows attackers to perform path traversal attacks through the username parameter in the MRS web server.
Researchers discovered that logging in with specially crafted usernames containing path traversal sequences (e.g., "../../../../") enables attackers to navigate outside the intended directory structure and access sensitive system files.
If exploited, this flaw enables unauthorized access to any files on the affected system, potentially leading to abitrary file access and download, file deletion or lateral movement or privilege escalation
The vulnerable Media Relay Service (MRS) software is used with Infodraw's PMRS series devices for video, audio, and position data processing in surveillance applications. The software typically runs on port 12654 and provides two interfaces (/user and /admin). Both Linux and Windows implementations are affected.
Mint Secure conducted internet-wide scans on port 12654 and identified numerous vulnerable systems, including those operated by:
- Police forces in Belgium (Limburg Regio Hoofdstad), possibly related to drone operations
- Luxembourg's "Police Grand-Ducale" special unit for audio and video surveillance (Groupes d'appui technique opérationnel - GATO)
- Multiple other government and law enforcement agencies worldwide
Mint Secure initially reported the vulnerability to Infodraw but received no response. Consequently, they contacted affected organizations and national CERTs directly to mitigate potential risks before public disclosure. The vulnerability was formally assigned CVE-2025-43928 on April 20, 2025, and was presented at the Chaos Computer Club's Easterhegg 2025 conference.
Organizations using Infodraw's MRS software should isolate the MRS software port 12654 from the public internet and implement additional protective measures such as VPN or IP restrictions. Ideally, they should take affected systems offline immediately. In any case, they should conduct forensic investigations to determine if unauthorized access has already occurred.
