Cross-Site Request Forgery in i-PRO WV-X/S/U Network Cameras (CVE-2025-36513)

Summary

Affected i-PRO network cameras fail to validate the origin of state-changing web requests, so an authenticated administrator who is lured to a malicious page can have setting changes silently submitted to the camera on their behalf. The impact is limited to integrity of camera configuration and requires user interaction, which keeps this in the medium-severity band. It was reported through JVN by Nozomi Networks and fixed in the listed firmware releases.

Affected products

Impact

An attacker can trick a logged-in operator into unknowingly altering camera settings via a forged cross-site request, potentially weakening device configuration or coverage. There is no direct data disclosure or denial of service, but configuration drift across many endpoints can erode monitoring reliability over time.

Remediation

Apply firmware 2.80 (WV-X), 2.85 (WV-S), or 3.45 (WV-U) or later per series. As defense in depth, keep camera web management off the public internet, require administrators to fully log out of camera UIs before browsing elsewhere, and segment camera management interfaces behind a jump host. Uniqcli Security can confirm which of your i-PRO series and firmware levels are exposed, batch-apply the updates, and lock down management-plane access so forged requests never reach the device.

Sources

• https://i-pro.com/products_and_solutions/en/surveillance/solutions/technologies/cyber-security/psirt/security-advisories
• https://nvd.nist.gov/vuln/detail/CVE-2025-36513