| CVE ID | CVE-2025-9983 |
| Publication date | 22 September 2025 |
| Vendor | GALAYOU |
| Product | G2 |
| Vulnerable versions | 11.100001.01.28 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in GALAYOU G2 software and participated in coordination of its disclosure.
The vulnerability CVE-2025-9983: GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camera’s behavior.
The vendor did not respond in any way. Only version 11.100001.01.28 was tested, other versions might also be vulnerable.
Credits
We thank Szymon Paszun for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.
