Vicon Authentication Bypass Vulnerability Published

From SecurityFocus:

Remote unauthenticated users can add an administrator, operator, or guest accounts to various Vicon network cameras by navigating directly to a specific URL. The URL is missing authentication and gives you direct access to the form that creates new accounts. URL: http://<IP>/system/user_pop.php?method=add&ptz_use=0 . With an account, a user can view the live video and alter camera settings.

Confirmed in products: V920D, V922D, and V-CELL-HD

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.