Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin upload with no user interaction (AV:N/AC:L/UI:N) but requires high-privilege auth (PR:H); core impact is file/certificate integrity (I:H) with possible service disruption (A:L) and no clear data disclosure (C:N).
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malformed data in locations intended for trusted certificate material, which could affect system integrity or behavior even after reboot.
AnalysisAI
Arbitrary file upload in H.View HV-500S6 IP cameras lets an authenticated, high-privilege user (per CVSS PR:H) write unvalidated content to fixed, persistent filesystem paths reserved for trusted TLS certificate material, with no checks on file type, structure, or size. Because the planted data survives reboot, an attacker can corrupt or replace certificate stores to undermine device integrity, availability, and trust. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with high privileges (CVSS PR:H) - typically an administrative account able to reach the certificate-related upload interfaces - and network access to the camera's management web service (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained administrator credentials (via reuse, default passwords, or a separate auth bypass) logs into the camera's web interface and uses the certificate upload feature to push a malformed or oversized file into the fixed certificate path instead of a valid PEM. On reboot the device loads the corrupted certificate slot, disrupting TLS services or device behavior in a way that survives restarts; no public POC is currently known. |
| Remediation | No vendor-released patch version was identified at time of analysis; the only vendor reference is a contact page (https://hviewsmart.com/pages/contact-us), so consult CISA advisory ICSA-26-176-05 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-05) and contact H.View for updated firmware before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hv 500S6 Ip Camera
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39927
GHSA-65q4-rvjr-c9r5