Skip to main content

KMW IP Cameras CVE-2026-5386

| EUVDEUVD-2026-33359 CRITICAL
Unverified Password Change (CWE-620)
2026-05-29 icscert GHSA-ff7m-h5f6-v93r
9.1
CVSS 3.1 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (icscert) · only source for this CVE.

CVSS VectorVendor: icscert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 17:51 vuln.today

DescriptionCVE.org

The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.

AnalysisAI

Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.

Technical ContextAI

The KMW KM-IP521 and KM-IP421 are network-attached IP CCTV cameras typically deployed in physical security and OT/ICS environments - a category CISA tracks via its ICS-CERT advisory program (ICSA-26-148-06). The root cause is CWE-620, Unverified Password Change, in which the device's password-change or reset routine fails to validate that the requestor holds the current credential or any equivalent proof of authorization. In practice this means the camera's web/management interface exposes a password-reset code path that accepts a new administrator password from any caller able to reach the endpoint, bypassing the standard authentication state machine. Because the camera is an embedded appliance, the same web server typically also serves the video stream and configuration APIs, so resetting the admin password yields full plane access (view, configure, disable, pivot).

RemediationAI

Patch available per vendor advisory: download and flash the updated firmware bundle published by KMW at https://main.kmw.ro/pub/Firmware/521_421.zip covering both KM-IP521 and KM-IP421 models, and validate the fixed build number against the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06 (released patched version was not independently confirmed from the supplied data, so cross-check the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json before deploying). Until firmware is rolled out, place the cameras on an isolated VLAN with no inbound internet exposure, restrict management-plane access (HTTP/HTTPS and any vendor-specific ports) to a dedicated NVR or jump host via ACLs at the switch or firewall, and disable UPnP and any port-forwarding rules that currently expose the camera web UI - the trade-off is loss of remote viewing apps that rely on direct connections, which should be replaced with a VPN. Rotate admin passwords post-patch on every camera since a prior silent reset cannot be ruled out, and monitor for unexpected configuration changes or new admin sessions in the interim.

Share

CVE-2026-5386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy