← CIO Briefings · Critical Impact ACTION REQUIRED

Milesight AIOT Camera Fleet: Shared SSL Key Means Every Unit Is Compromised If One Is

CISA advisory ICSA-26-113-03 covers five CVEs in Milesight AIOT network cameras, including a CVSS 9.8 flaw where all cameras in a model family share a single factory-embedded SSL private key. Any attacker who extracts this key — achievable from any unit, including from publicly available firmware — can silently intercept and replace video feeds and steal management credentials across the entire deployed fleet without triggering certificate warnings. Camera firmware patches are available; immediate isolation and patching is required for safety-critical and OT-adjacent deployments.

4 min read

Situation

CISA has published advisory ICSA-26-113-03 covering five security vulnerabilities in Milesight AIOT network cameras — a product line deployed across enterprise physical security, manufacturing floor monitoring, healthcare facilities, data centres, and smart building environments globally.

The most severe flaw (CVE-2026-32644, CVSS 9.8) is a fundamental design failure: every camera within a given model family ships from the factory with the same SSL private key embedded in firmware. This key governs all HTTPS/TLS communications between cameras and management systems. Because the key is identical across the entire fleet, an attacker who extracts it from any single unit — achievable through firmware analysis, including from firmware images available for download on Milesight’s public support portal — can subsequently decrypt, intercept, or replace communications from every other camera in the same model family, with no certificate validation failure visible to operators or management software.

Additional CVEs in the advisory include hard-coded root SSH credentials (CVE-2026-27785, CVSS 7.7), a remote code execution flaw in the H.264/H.265 stream processor (CVE-2026-20766, CVSS 8.6), and OS command injection via the admin web panel (CVE-2026-32649, CVSS 7.3).

Business Impact

Physical security integrity: An attacker with the extracted SSL key and network access to the camera VLAN can inject pre-recorded footage in place of live video — the canonical “loop the camera” attack scenario — without disrupting management software connectivity or triggering alerts. Camera tampering becomes undetectable through normal monitoring.

Credential theft: All traffic between cameras and VMS/CMS management platforms — including operator login credentials — passes through the compromised TLS layer. Management account credentials are exposed to any attacker on the same network segment as the cameras.

Operational technology exposure: Cameras in manufacturing, process control, and critical infrastructure environments are frequently positioned on network segments adjacent to OT systems. Compromise of the camera OS (via CVE-2026-20766 RCE, achievable unauthenticated) provides a network-resident foothold that can reach industrial control system networks with less stringent monitoring.

Scope amplification: Unlike most CVEs, CVE-2026-32644 does not require exploitation of individual devices. One successful key extraction compromises every camera in that model family across all deployments globally. If threat actors have already extracted and published this key — which cannot be confirmed — all affected Milesight camera fleets are currently vulnerable regardless of network exposure.

Immediate (within 24 hours):

  • Direct security operations to isolate Milesight camera VLANs from all other network segments — cameras should have no routing to corporate workstation networks, OT segments, or the internet until patched
  • Mandate that all Milesight camera management credentials (VMS/CMS admin accounts) be rotated immediately; treat existing credentials as potentially compromised
  • Identify whether any Milesight cameras are deployed in safety-critical locations (access control, server room monitoring, process control observation) and assess whether alternate monitoring is required during remediation

Short term (within 7 days):

  • Apply patched firmware from Milesight’s support portal to all affected units; consult advisory ICSA-26-113-03 for model-specific patch versions
  • Audit your physical security estate for OEM or white-label camera products that may be Milesight-based; verify scope with your physical security integrator
  • Enable MFA on all VMS/CMS administration accounts where supported

Ongoing:

  • Incorporate camera firmware version and EOL status into your annual network asset review
  • Review your physical security vendor’s lifecycle policy — cameras with hard-coded, non-replaceable keys represent an architectural risk that firmware patches cannot fully remediate

Affected Products

18-plus model families in Milesight’s MS-C series and MS-N NVR series. Affected firmware versions are all releases prior to April 2026 patches (MS-C5xx4 series: < 59.6.0.80; MS-N72xx NVR: < 45.9.0.4). Consult the full CISA advisory for the complete model and version matrix.