Skip to main content

Milesight AIOT cameras CVE-2026-32644

CRITICAL
Use of Hard-coded Cryptographic Key (CWE-321)
2026-04-28 ics-cert@hq.dhs.gov
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 20:23 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 01:30 vuln.today
Analysis Generated
Apr 28, 2026 - 01:22 vuln.today
CVE Published
Apr 28, 2026 - 01:16 nvd
CRITICAL 9.2

DescriptionCVE.org

Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.

AnalysisAI

Milesight AIOT cameras ship with hardcoded SSL private keys enabling remote man-in-the-middle attacks and credential interception. Remote unauthenticated attackers can decrypt TLS traffic, impersonate camera services, and potentially gain administrative access to affected devices. CISA ICS-CERT published advisory ICSA-26-113-03 for this industrial/IoT vulnerability affecting network-connected surveillance infrastructure.

Technical ContextAI

This is a CWE-321 (Use of Hard-coded Cryptographic Key) vulnerability in industrial IoT surveillance equipment. SSL/TLS certificates embedded in firmware contain private keys that are identical across multiple device deployments, violating fundamental PKI security principles where each device should possess unique cryptographic material. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) with low complexity (AC:L) but requires present attack conditions (AT:P), suggesting the default certificates must still be in use rather than replaced during deployment. Industrial camera systems typically use SSL/TLS for web administration interfaces, RTSP/RTSPS streams, and API endpoints. When private keys are shared across a product line, an attacker who extracts keys from one device's firmware can decrypt traffic to any other device with the same keys, breaking the confidentiality guarantees of TLS. This is particularly critical in surveillance systems where video feeds, administrative credentials, and network configurations transit encrypted channels.

Affected ProductsAI

Milesight AIOT camera product line running specific firmware versions with embedded default SSL certificates. Exact affected firmware version ranges are not specified in available NVD data but are expected to be detailed in CISA advisory ICSA-26-113-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03. Milesight provides firmware updates at https://www.milesight.com/support/download/firmware. Organizations should consult the CISA advisory to identify their specific camera models and firmware versions against the vulnerability scope, as industrial camera product lines often include numerous models with varied firmware branches.

RemediationAI

Download and install patched firmware from Milesight's official support portal at https://www.milesight.com/support/download/firmware, cross-referencing the specific fixed versions listed in CISA advisory ICSA-26-113-03. After firmware upgrade, regenerate unique SSL certificates for each camera using the device's certificate management interface or provisioning system - the firmware update alone may not automatically replace existing certificates. For environments where immediate patching is not feasible, implement network segmentation to isolate camera management interfaces from untrusted networks, deploy VPN tunnels for all administrative access to create an additional encryption layer, and monitor for unauthorized certificate usage or TLS anomalies using network intrusion detection. These compensating controls reduce remote attack surface but do not eliminate risk from insider threats or attackers who have already gained network access. Certificate regeneration after patching is critical - leaving default certificates in place even with patched firmware may still expose devices if the vulnerability involves key material baked into older firmware images.

Share

CVE-2026-32644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy