Seasons greetings, HaXmas readers! While most HaXmas posts this holiday season are full of fun and frivolity, this one is, admittedly, about as dry as last year’s fruitcake: a pretty routine vulnerability disclosure in a piece of IoT gear. Per Rapid7’s normal disclosure policy, we’re publishing this today, which happens to be right about 60 days after our first disclosure to the vendor of this video camera. Unfortunately, despite multiple efforts at coordination with the vendor, we haven’t heard back from them at all, so with that, we’ll just jump in with the vulnerability proper.