Skip to main content

H.View IP Camera CVE-2026-55975

| EUVDEUVD-2026-39926 HIGH
OS Command Injection (CWE-78)
2026-06-26 icscert GHSA-prhf-prrf-qvqw
8.6
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable certificate interface with low complexity but requires a high-privilege authenticated account (PR:H); injected OS command runs on the same device with full C/I/A impact, no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 23:30 vuln.today
CVSS changed
Jun 26, 2026 - 23:22 NVD
7.2 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a backend certificate creation command without proper input validation. This may allow for command execution with elevated privileges during certificate generation.

AnalysisAI

Authenticated command injection in H.View HV-500S6 IP cameras allows a logged-in user to inject unsanitized XML field values into the device's certificate generation interface, which are passed into a backend certificate-creation shell command and executed with elevated privileges. Because exploitation requires valid credentials (CVSS 4.0 PR:H) but is reachable over the network with low complexity, an attacker who obtains any account on the device can run arbitrary OS commands and take full control of the camera. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege camera credentials
Delivery
Open certificate generation interface
Exploit
Inject shell metacharacters in XML field
Execution
Backend builds certificate command with payload
Persist
Command executes with elevated privileges
Impact
Full device compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with high privileges (CVSS 4.0 PR:H) on the camera and access to the device's certificate generation interface, where attacker-supplied XML fields are incorporated into the backend certificate-creation command. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine but credential-gated risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid administrative credentials to an H.View HV-500S6 camera - for example via default/weak passwords or credential reuse - navigates to the certificate generation interface and submits an XML field (such as a certificate subject value) containing shell metacharacters and an embedded command. When the firmware builds and runs the certificate-creation command, the injected payload executes with elevated privileges, giving the attacker arbitrary OS command execution on the device. …
Remediation No vendor-released patch version was identified in the supplied data; the references point to the CISA ICS advisory ICSA-26-176-05 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-05) and the H.View contact page (https://hviewsmart.com/pages/contact-us) rather than a tagged firmware release, so consult those for any updated firmware and apply it once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all HV-500S6 units in production and audit active user accounts; immediately disable unnecessary credentials and implement detailed access logging on all remaining accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy