Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Unauth access

Unauthenticated RTSP Video Stream Access via ONVIF WebSocket Endpoint

Zion Boggan · April 13, 2026 · coordinated disclosure

Summary

The ONVIF RTSP-over-WebSocket endpoint (/onvif/rtsp-over-websocket) is missing authentication requirements in the Apache configuration, while the functionally identical non-ONVIF endpoint (/rtsp-over-websocket) correctly requires axis-rtsp-ws-session authentication. This configuration inconsistency allows an unauthenticated attacker to access the camera’s live video stream by connecting via the ONVIF WebSocket protocol.

Vulnerability Details

In the firmware’s Apache configuration, two WebSocket-to-RTSP proxy endpoints are defined:

File: /etc/apache2/conf.d/vhosts/all/tcpproxy_rtsp.conf (AUTHENTICATED):

<Location /rtsp-over-websocket>
 WebSockServProvTCPAddr localhost
 WebSockServProvTCPPort RTSP
 WebSockServProvTCPBindAddr 127.1.1.2
 WebSockSubProt binary
 WebSockTCPTimeout 60
 SetHandler websocket-handler
 Require axis-rtsp-ws-session ← AUTH REQUIRED
</Location>

File: /etc/apache2/conf.d/vhosts/all/tcpproxy_rtsp_onvif.conf (NO AUTH):

<Location /onvif/rtsp-over-websocket>
 WebSockServProvTCPAddr localhost
 WebSockServProvTCP6Addr ip6-localhost
 WebSockServProvTCPPort RTSP
 WebSockSubProt rtsp.onvif.org
 WebSockTCPTimeout 60
 SetHandler websocket-handler
 ← NO Require DIRECTIVE
</Location>

Both endpoints are included in ALL VirtualHost configurations via the conf.d/vhosts/all/ include path, meaning this applies to the externally-facing VHost.

Why Auth Doesn’t Apply

The parent VHost’s authentication is configured at the <Directory "/usr/html"> level:

<Directory "/usr/html">
 Include /run/apache2/httpd-select-auth.conf
 Require axis-group-file
</Directory>

Apache <Location> directives operate independently of <Directory> directives. Since /onvif/rtsp-over-websocket is handled by a WebSocket module (not a filesystem path under /usr/html), the Directory-level authentication does not apply. With no Require directive in the Location block, Apache 2.4 allows the request.

Impact

An unauthenticated attacker on the network can: 1. Connect to ws://CAMERA_IP/onvif/rtsp-over-websocket using the ONVIF RTSP WebSocket subprotocol 2. Tunnel RTSP commands through the WebSocket connection directly to the camera’s RTSP server 3. Access live video/audio streams without any credentials 4. Conduct surveillance without the camera owner’s knowledge

This is a complete bypass of the camera’s authentication for video stream access.

Evidence

  • Firmware: P3245-LV 11.11.192 (latest)
  • Config files: Extracted from /etc/apache2/conf.d/vhosts/all/ in firmware rootfs
  • Comparison: The non-ONVIF endpoint in tcpproxy_rtsp.conf correctly includes Require axis-rtsp-ws-session, confirming that auth on this endpoint is intentional and the ONVIF variant is missing it

Reproduction

  1. Identify an AXIS camera on the network (e.g., via ONVIF discovery or mDNS)
  2. Establish a WebSocket connection:
wscat -s rtsp.onvif.org -c ws://CAMERA_IP/onvif/rtsp-over-websocket
  1. Send RTSP DESCRIBE/SETUP/PLAY commands through the WebSocket tunnel
  2. Observe: video stream data is returned without authentication

Suggested Fix

Add the same authentication requirement to the ONVIF endpoint:

<Location /onvif/rtsp-over-websocket>
 WebSockServProvTCPAddr localhost
 WebSockServProvTCP6Addr ip6-localhost
 WebSockServProvTCPPort RTSP
 WebSockSubProt rtsp.onvif.org
 WebSockTCPTimeout 60
 SetHandler websocket-handler
 Require axis-rtsp-ws-session ← ADD THIS
</Location>

Source · github.com/zionsworking/security-research-notebook · writeups/axis-os/onvif-rtsp-websocket-unauth.md