Milesight AIOT cameras CVE-2026-20766
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.
AnalysisAI
Out-of-bounds memory access in Milesight AIOT camera firmware enables remote attackers to achieve high-severity impacts on confidentiality, integrity, and availability when users interact with malicious content. CISA ICS-CERT has issued an advisory for this industrial IoT vulnerability. With network attack vector (AV:N) and low complexity (AC:L) but requiring user interaction (UI:A), the vulnerability presents significant risk to operational technology environments where these cameras are deployed for industrial surveillance and monitoring applications.
Technical ContextAI
This vulnerability stems from CWE-122 (Heap-based Buffer Overflow), a memory corruption class where data writes exceed allocated heap memory boundaries. Tagged as both Buffer Overflow and Heap Overflow, the flaw exists in the firmware layer of Milesight's AIOT (Artificial Intelligence of Things) camera product line, which combines IP camera functionality with AI-powered analytics for industrial and smart building applications. Heap-based overflows are particularly dangerous in embedded device firmware as they can corrupt memory management structures, leading to arbitrary code execution. The CVSS 4.0 vector indicates network-accessible attack surface with no privilege requirements (PR:N), suggesting the vulnerable code path is exposed through network-facing services such as HTTP/HTTPS management interfaces or streaming protocols commonly used in IP cameras.
Affected ProductsAI
Milesight AIOT camera models running vulnerable firmware versions are affected. CISA advisory ICSA-26-113-03 provides authoritative affected version details. The vendor advisory is available at https://www.milesight.com/support/download/firmware with firmware-specific vulnerability mapping. Exact model numbers and vulnerable firmware version ranges should be confirmed from the CISA CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json. Multiple camera models within Milesight's AIOT product line are likely affected given the general firmware-level nature of the vulnerability.
RemediationAI
Milesight has released patched firmware versions available through their official support portal at https://www.milesight.com/support/download/firmware - consult CISA advisory ICSA-26-113-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 for exact patched firmware versions mapped to specific camera models. Upgrade affected cameras to the vendor-specified fixed firmware following Milesight's update procedures and verify firmware version post-upgrade. Until patching is complete, implement network segmentation to isolate cameras from untrusted networks and restrict administrative interface access to known management IP addresses via firewall rules. Disable remote administrative access if not operationally required and enforce VPN access for camera management. Since exploitation requires user interaction (UI:A), implement strict access controls on who can access camera web interfaces and conduct security awareness training to prevent users from clicking untrusted links or accessing malicious URLs through camera management portals. Monitor camera access logs for anomalous administrative activity. Note that disabling network access significantly reduces camera monitoring functionality, so network-based mitigations must balance security with operational requirements.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today