Swann network video recorder (NVR) devices contain a hard-coded password and do not require authentication to view the video feed when accessing from specific URLs.
CWE-259: Use of Hard-coded Password - CVE-2015-8286
A remote unauthenticated attacker may be able to gain root access to the device, or view the live video feed.
The CERT/CC is currently unaware of a full solution to these issues.
Restrict network access
Thanks to Junia Valente of the Cyber-Physical Systems Security Lab at UT Dallas for reporting this vulnerability.
This document was written by Garret Wassermann.