ESCAM QD-900 Unauthenticated Configuration Disclosure Vulnerability Severity: High Date: November 26, 2025 Affected Products: QD-900 Vulnerability Type: CWE-306 - Missing Authentication for Critical Function CVSS Score: 4.0 - Attack Vector (AV): Network - Access Complexity (AC): Low - Authentication (Auth): None - Privilege Required (PR): None - User Interaction (UI): None - Scope (S): Unchanged - Confidentiality (C): High - Integrity (I): None - Availability (A): None References PacketStorm-156492 ExploitDB-48107 Credit Todor Donev Description The ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the endpoint. This endpoint allows remote download of a compressed configuration backup without requiring authentication, potentially exposing administrative credentials and sensitive device settings to unauthenticated remote attackers.