Longse NVR (Network Video Recorder) model NVR3608PGE2W, as well as products based on this device, are transmitting users login and password to a remote control service without using any encryption. This enables an on-path attacker to eavesdrop the credentials and subsequently obtain access to the video stream. The credentials are being sent when a user decides to change his password in routers portal.
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.