🏛️ Architecture

CISA ICS Advisory: Milesight AIOT Cameras Carry Five CVEs Including CVSS 9.8 Hard-Coded SSL Key Flaw

CISA advisory ICSA-26-113-03 covers five vulnerabilities across 18-plus Milesight AIOT camera model families, including a CVSS 9.8 flaw where all devices share a hard-coded factory SSL private key that cannot be changed. An attacker with the key — which is extractable from any unit — can conduct undetectable man-in-the-middle attacks against the entire deployed fleet. Organisations using Milesight cameras in operational technology or physical security environments should isolate these devices immediately.

4 min read
#ics#cisa-advisory#iot-security#hard-coded-credentials#camera#cve-2026-32644

CISA has published advisory ICSA-26-113-03 covering five security vulnerabilities in Milesight’s AIOT network camera product line, which is deployed across enterprise physical security, manufacturing floor monitoring, transportation, and smart building environments globally. The most severe flaw — CVE-2026-32644, rated CVSS 9.8 — stems from a design decision to ship all cameras in a model family with a single factory-issued SSL private key that is embedded in firmware and cannot be replaced through the standard management interface.

The CVEs

CVE-2026-32644 (CVSS 9.8 — CRITICAL): Hard-coded SSL private key present in firmware across all units of affected model families. The key controls all HTTPS/TLS communications between cameras and management software (Milesight CMS, VMS Pro, and third-party integrations using the ONVIF/RTSP protocol stack). An attacker who extracts the key from any single unit — achievable through firmware extraction via UART debug header or from publicly available firmware downloads — can present a valid certificate for any camera in the same product family, enabling silent man-in-the-middle interception of all video streams, configuration traffic, and management credentials without triggering certificate validation warnings.

CVE-2026-27785 (CVSS 7.7 — HIGH): Hard-coded administrative credentials in the embedded Linux userspace. Default credentials (documented in installer guides and unchanged through factory reset) provide root SSH access to the camera OS. Discovered via firmware extraction.

CVE-2026-20766 (CVSS 8.6 — HIGH): Out-of-bounds memory access in the H.264/H.265 stream processing module. A crafted RTP packet can trigger a heap buffer overflow, leading to arbitrary code execution in the context of the media streaming service (typically running as root).

CVE-2026-32649 (CVSS 7.3 — HIGH): OS command injection via the camera’s web-based diagnostics interface. Authenticated attackers with access to the admin panel can execute arbitrary commands; combined with the hard-coded credential flaw, exploitation is effectively unauthenticated on default deployments.

CVE-2026-28747 (CVSS 7.1 — HIGH): Weak RSA key generation using a predictable seed derived from device MAC address and boot timestamp. Keys generated at first-boot for device identity are factorable on affected model variants using published techniques.

Affected Models

The advisory covers 18-plus model families in Milesight’s MS-C series, MS-N series NVR products, and several OEM variants sold under third-party brands including those distributed by European security integrators. Affected firmware versions span all releases prior to the April 2026 remediation patches.

Model SeriesAffected FirmwareFix Available
MS-C52x4-FPB/FPC< 59.6.0.8059.6.0.80+
MS-C59xx-PA/PB< 59.6.0.8059.6.0.80+
MS-N72xx series NVR< 45.9.0.445.9.0.4+
MS-C35x4< 59.6.0.8059.6.0.80+

Why This Is Particularly Serious for OT and Physical Security

Cameras in operational technology environments often monitor safety-critical processes — manufacturing lines, chemical plant perimeters, server room access, and data centre physical security. The hard-coded SSL key flaw (CVE-2026-32644) means:

  1. Video feed integrity cannot be trusted — an attacker on the same network segment as the camera can inject or replace the video stream with pre-recorded footage, undermining physical security monitoring in real time.
  2. Credential interception is silent — management traffic including VMS login credentials is exposed without triggering any certificate warning; stolen credentials could enable broader network access if the VMS management account is shared with other systems.
  3. Lateral movement into OT networks — cameras are frequently deployed on IT/OT boundary networks with access to both; a compromised camera OS (via CVE-2026-20766 RCE) provides a foothold on network segments that may have less monitoring than corporate IT infrastructure.
  • Apply firmware updates immediately — obtain patched firmware from Milesight’s support portal; prioritise cameras monitoring safety-critical or access-control functions.
  • Network isolate camera VLANs — segment camera networks so that camera-to-VMS traffic cannot reach other network segments; cameras should not have direct internet access or routing to corporate workstation VLANs.
  • Rotate VMS/CMS credentials — any credentials used to authenticate to Milesight camera management software should be treated as potentially compromised and rotated; enable MFA on VMS admin accounts where supported.
  • Audit for OEM variants — if your physical security estate includes cameras from regional integrators or white-label brands, verify with your vendor whether units are Milesight-based and whether advisory scope applies.
  • Review physical access to camera hardware — the UART debug header extraction vector for CVE-2026-32644 and CVE-2026-27785 requires physical access; verify camera mounting locations and tamper-evident hardware controls.

Share this article