This "debug console" is on networked IP cameras (many of which are open to the web) and available through a hardcoded password. I don't see a convincing argument for malicious intent, more so a dangerous level of incompetence from a company who should know better.
Unfortunately Xiongmai is not an outlier for subpar security practices on IOT products, doesn't make it any less bad though
I would like to point out that this is not specific to IOT. I deal with lots of servers and enterprise networking gear at my job and many of them come with hardcoded passwords on ipmi / networked admin consoles.
The difference is that your average Joe doesn't even know he has to configure these devices, let alone how to configure them.
Xiongmai has a history of oopsies this big or bigger, going back several years at least. Their software usually turns out to be spyware, whatever their intent may be.
Malice should be the default assumption in some scenarios. If a man with a covered face dressed in all black is discovered inside a bank vault, it should be assumed he was there to burglarize it. Maybe he was actually a ninja haplessly teleported through space and time by a powerful evil mage and landed in the bank vault through pure coincidence, but probably he's a burglar.
This isn't a court of law. We aren't morally obliged to feign naivety. If this wasn't meant to be a back door, they're free to explain their actions. But until they've done so to my satisfaction, I for one will assume malice.
Unfortunately Xiongmai is not an outlier for subpar security practices on IOT products, doesn't make it any less bad though