Milesight AIOT cameras CVE-2026-32644
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.
AnalysisAI
Milesight AIOT cameras ship with hardcoded SSL private keys enabling remote man-in-the-middle attacks and credential interception. Remote unauthenticated attackers can decrypt TLS traffic, impersonate camera services, and potentially gain administrative access to affected devices. CISA ICS-CERT published advisory ICSA-26-113-03 for this industrial/IoT vulnerability affecting network-connected surveillance infrastructure.
Technical ContextAI
This is a CWE-321 (Use of Hard-coded Cryptographic Key) vulnerability in industrial IoT surveillance equipment. SSL/TLS certificates embedded in firmware contain private keys that are identical across multiple device deployments, violating fundamental PKI security principles where each device should possess unique cryptographic material. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) with low complexity (AC:L) but requires present attack conditions (AT:P), suggesting the default certificates must still be in use rather than replaced during deployment. Industrial camera systems typically use SSL/TLS for web administration interfaces, RTSP/RTSPS streams, and API endpoints. When private keys are shared across a product line, an attacker who extracts keys from one device's firmware can decrypt traffic to any other device with the same keys, breaking the confidentiality guarantees of TLS. This is particularly critical in surveillance systems where video feeds, administrative credentials, and network configurations transit encrypted channels.
Affected ProductsAI
Milesight AIOT camera product line running specific firmware versions with embedded default SSL certificates. Exact affected firmware version ranges are not specified in available NVD data but are expected to be detailed in CISA advisory ICSA-26-113-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03. Milesight provides firmware updates at https://www.milesight.com/support/download/firmware. Organizations should consult the CISA advisory to identify their specific camera models and firmware versions against the vulnerability scope, as industrial camera product lines often include numerous models with varied firmware branches.
RemediationAI
Download and install patched firmware from Milesight's official support portal at https://www.milesight.com/support/download/firmware, cross-referencing the specific fixed versions listed in CISA advisory ICSA-26-113-03. After firmware upgrade, regenerate unique SSL certificates for each camera using the device's certificate management interface or provisioning system - the firmware update alone may not automatically replace existing certificates. For environments where immediate patching is not feasible, implement network segmentation to isolate camera management interfaces from untrusted networks, deploy VPN tunnels for all administrative access to create an additional encryption layer, and monitor for unauthorized certificate usage or TLS anomalies using network intrusion detection. These compensating controls reduce remote attack surface but do not eliminate risk from insider threats or attackers who have already gained network access. Certificate regeneration after patching is critical - leaving default certificates in place even with patched firmware may still expose devices if the vulnerability involves key material baked into older firmware images.
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today