CVE-2026-20766 Overview
CVE-2026-20766 is an out-of-bounds memory access vulnerability affecting specific firmware versions of Milesight AIOT cameras. The flaw is classified as a heap-based buffer overflow [CWE-122] and can be triggered remotely across the network. Successful exploitation can compromise the confidentiality, integrity, and availability of the affected device. The issue was disclosed through the Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) advisory ICSA-26-113-03. Milesight AIOT cameras are deployed in operational technology (OT) and physical security environments, increasing the operational impact of any exploit.
Critical Impact
An unauthenticated network-adjacent attacker can trigger out-of-bounds memory access on affected Milesight AIOT cameras, potentially enabling remote code execution or denial of service against camera firmware.
Affected Products
- Milesight AIOT cameras running specific affected firmware versions (see vendor advisory)
- Refer to CISA ICS Advisory #ICSA-26-113-03 for the authoritative product and firmware list
- Replacement firmware available from the Milesight Firmware Download portal
Discovery Timeline
- 2026-04-28 - CVE-2026-20766 published to the National Vulnerability Database (NVD)
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-20766
Vulnerability Analysis
The vulnerability is an out-of-bounds memory access condition in the firmware of affected Milesight AIOT cameras. CISA classifies the weakness under [CWE-122] (Heap-Based Buffer Overflow), indicating that input is written or read past the bounds of a heap-allocated buffer. An attacker reachable over the network can deliver crafted input to the camera service to trigger the condition. The advisory indicates the issue requires user interaction, suggesting an administrator or operator must engage with attacker-supplied data, configuration, or a malicious endpoint for the flaw to fire.
Root Cause
The root cause is improper validation of size or offset values used when accessing heap-allocated memory in the camera firmware. When the firmware processes attacker-influenced input, it fails to enforce bounds against the destination buffer, resulting in reads or writes outside the allocated region. This corrupts adjacent heap structures and can be leveraged to alter control flow or crash the service.
Attack Vector
The attack vector is network-based and does not require pre-existing privileges, though it does require user interaction. An attacker crafts a malicious request or payload that the camera processes during normal handling. The resulting out-of-bounds operation can disclose memory contents, corrupt heap metadata, or crash the firmware. In the worst case, heap corruption is shaped into arbitrary code execution within the camera process context, granting attacker control over a network-resident OT device.
No public proof-of-concept code has been released. Technical details are described in the CISA CSAF JSON advisory file.
Detection Methods for CVE-2026-20766
Indicators of Compromise
- Unexpected reboots, crash loops, or service restarts on Milesight AIOT cameras coinciding with inbound traffic from untrusted sources
- Anomalous outbound connections originating from camera management interfaces to non-management hosts
- Malformed or oversized requests directed at camera HTTP, RTSP, or ONVIF endpoints in network captures
Detection Strategies
- Monitor network traffic to and from camera VLANs for protocol anomalies and oversized payloads targeting camera services
- Compare running firmware versions against the patched releases listed in ICSA-26-113-03 and flag any device on a vulnerable build
- Centralize camera and OT network telemetry for correlation with crash events and unusual administrative actions
Monitoring Recommendations
- Forward camera, switch, and firewall logs into a centralized analytics platform to detect repeated probing of camera endpoints
- Alert on new or unauthorized outbound sessions from camera subnets to internet destinations
- Track firmware hashes and version strings as configuration items so drift from approved baselines surfaces quickly
How to Mitigate CVE-2026-20766
Immediate Actions Required
- Inventory all Milesight AIOT cameras and identify devices running firmware versions called out in ICSA-26-113-03
- Apply the vendor-supplied firmware update from the Milesight Firmware Download portal as soon as it is validated for the environment
- Restrict network reachability to camera management and streaming interfaces until patching is complete
Patch Information
Milesight has published updated firmware addressing CVE-2026-20766. Operators should obtain fixed builds from the Milesight Firmware Download portal and follow the upgrade procedure documented in CISA ICS Advisory #ICSA-26-113-03. Verify firmware integrity before deployment and reboot devices to complete the update.
Workarounds
- Place affected cameras on isolated VLANs with no direct internet exposure and restrict inbound access to known management hosts
- Enforce strict firewall rules permitting only required ports and source addresses to reach camera services
- Disable unused camera services and protocols, including remote management features that are not operationally required
- Require VPN or jump-host access for any administrative interaction with camera management interfaces
# Example: restrict access to camera management subnet to a known admin host
# Replace 10.10.50.0/24 with the camera VLAN and 10.20.0.10 with the admin host
iptables -A FORWARD -s 10.20.0.10/32 -d 10.10.50.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.10.50.0/24 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
