Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (icscert) · only source for this CVE.
CVSS VectorVendor: icscert
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.
AnalysisAI
Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.
Technical ContextAI
The KMW KM-IP521 and KM-IP421 are network-attached IP CCTV cameras typically deployed in physical security and OT/ICS environments - a category CISA tracks via its ICS-CERT advisory program (ICSA-26-148-06). The root cause is CWE-620, Unverified Password Change, in which the device's password-change or reset routine fails to validate that the requestor holds the current credential or any equivalent proof of authorization. In practice this means the camera's web/management interface exposes a password-reset code path that accepts a new administrator password from any caller able to reach the endpoint, bypassing the standard authentication state machine. Because the camera is an embedded appliance, the same web server typically also serves the video stream and configuration APIs, so resetting the admin password yields full plane access (view, configure, disable, pivot).
RemediationAI
Patch available per vendor advisory: download and flash the updated firmware bundle published by KMW at https://main.kmw.ro/pub/Firmware/521_421.zip covering both KM-IP521 and KM-IP421 models, and validate the fixed build number against the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06 (released patched version was not independently confirmed from the supplied data, so cross-check the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json before deploying). Until firmware is rolled out, place the cameras on an isolated VLAN with no inbound internet exposure, restrict management-plane access (HTTP/HTTPS and any vendor-specific ports) to a dedicated NVR or jump host via ACLs at the switch or firewall, and disable UPnP and any port-forwarding rules that currently expose the camera web UI - the trade-off is loss of remote viewing apps that rely on direct connections, which should be replaced with a VPN. Rotate admin passwords post-patch on every camera since a prior silent reset cannot be ruled out, and monitor for unexpected configuration changes or new admin sessions in the interim.
Same weakness CWE-620 – Unverified Password Change
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33359
GHSA-ff7m-h5f6-v93r