The discussion on LinkedIn about the security of Chinese OEM cameras, especially those made by Xiongmai, once again highlights massive flaws in the IT security architecture of many video surveillance systems. While the devices look professional on the outside, their internal structure reveals a multitude of attack points.

Xiongmai is an OEM manufacturer based in Hangzhou and supplies components to over a hundred other brand manufacturers worldwide – often without any visible branding on the devices themselves (SEC Consult, 2021; Krebs on Security, 2021). This means that the actual origin of the devices usually remains hidden from end users. Identification often only occurs through technical analysis – for example, via hidden error messages, URL endpoints such as /err.html or conspicuous GUI designs (Heise, 2021).

As security expert Karsten Kirchhof recently emphasised on LinkedIn, ‘the name Xiongmai is NEVER on a camera,’ but is only hidden in error messages of pseudo-national brands (Kirchhof, 2025). Manfred Holzer, Senior SOC Technician at Securitas Austria, also points out that Xiongmai ‘exclusively supplies OEM goods to hundreds of other pseudo-national and local “manufacturers” worldwide’ – with serious consequences for security (Holzer, 2025).

Main security flaws

The security flaws in Xiongmai hardware are well documented and have been known for years:

• Default passwords: Devices are shipped from the factory without an admin password and without requiring the user to set a secure password (SEC Consult, 2021; Krebs on Security, 2021).
• Hidden backdoor accounts: Even after password changes, an invisible user called ‘default’ remains active, whose password, when written backwards, is also “default” – i.e. ‘tluafed’. This allows video streams to continue to be viewed (Holzer, 2025; Krebs on Security, 2021).
• Cloud remote access via XMEye: This P2P connection, which is enabled by default, works without encryption and can bypass firewalls. This leaves millions of devices worldwide openly accessible (SEC Consult, 2021; Heise, 2021).
• • Firmware security: Updates are accepted without signature verification, which allows manipulated software to be installed (Krebs on Security, 2021).Known exploits: A stack buffer overflow (CVE-2017-16725) allows remote code execution. Telnet access is enabled during a reboot, which allows further attacks (CISA, 2017; Krebs on Security, 2021).

The combination of these vulnerabilities with the lack of patch management on many devices is particularly explosive. Flashpoint and CISA emphasise that fundamental risks remain despite incidents that have become public knowledge (e.g. Mirai botnet) (CISA, 2017; The Guardian, 2016).

OEM cameras in the corporate network: an underestimated risk

Current LinkedIn discussions show that even in 2025, Xiongmai-based cameras will continue to be integrated into productive networks without testing or segmentation – often unknowingly.

‘I didn’t even think about having to commission security separately.’

— Oliver Mohr, security consultant, LinkedIn, July 2025 (Mohr, 2025)

A real-world example shows that Xiongmai cameras were operated in the same network segment as business-critical systems (e.g. Microsoft Outlook). This is a flagrant violation of basic security principles such as network segmentation. According to CISA, IoT devices should be operated strictly separate from the office network (CISA, 2022).

Security consultants such as Holzer and Kirchhof warn clearly about the discrepancy between professional standards and actual implementation. Technical opacity, hidden accounts, inadequate updates and cloud connectivity to opaque Chinese services lead to dangerous security gaps in many corporate environments.

Recommendations for practice

In view of the large number of documented vulnerabilities, the following measures are considered essential:

• Network segmentation: Cameras and IoT systems belong in their own isolated VLAN.
• Change standard accounts: Admin and hidden accounts must be reconfigured immediately.
• Check manufacturer identification: Check suspicious cameras for specific GUI designs, login error pages or cloud connections.
• Replace non-maintainable devices: Consistently remove hardware without current security updates.
• Introduce monitoring: Actively monitor network traffic and access paths.

Video surveillance is more than just image capture

The discussion surrounding Xiongmai cameras impressively demonstrates how dangerous careless handling of OEM hardware can be. The use of such devices, especially without network separation and without knowledge of their origin, opens the door to attackers. Statements from the current LinkedIn debate confirm that the security issues are not theoretical – they affect real-world systems.

‘The OEM stuff is built into many cameras … the [hidden account] can also view videos.’

— Manfred Holzer, LinkedIn, July 2025 (Holzer, 2025)

Modern video surveillance must think far beyond mere image capture. It requires secure hardware, traceable update processes, clear access controls – and above all, security awareness in selection, operation and maintenance.

Author: Dr Claudia Mrozek

Bibliography

1. Kirchhof, K. (2025, July). XIONGMAI, huh??? – Can you eat that? LinkedIn post. Retrieved on 25 July 2025.
2. Holzer, M. (2025, July). Comment on security issues in Xiongmai OEM cameras. LinkedIn comment. Retrieved on 25 July 2025.
3. Mohr, O. (2025, July). Comment on security separation. LinkedIn comment. Retrieved on 25 July 2025.
4. SEC Consult. (2021). Security Advisory: OEM IP Cameras with Hidden Backdoors.
5. Krebs on Security. (2021). Who Makes Your Surveillance Camera?
6. Heise Online. (2021). Insecure IP cameras: OEM trap Xiongmai.
7. CISA. (2017). Vulnerability Note VU#770695 (CVE-2017-16725).
8. The Guardian. (2016). Chinese Electronics Firm to Recall Cameras Used in Botnet Attack.