CVE-2026-27785: Milesight AIOT Camera Auth Bypass Flaw

CVE-2026-27785 Overview

CVE-2026-27785 is a hard-coded credentials vulnerability [CWE-798] affecting specific firmware versions of Milesight AIOT cameras. The flaw allows adjacent network attackers to authenticate to affected devices using credentials embedded directly in the firmware. Because the credentials are static and cannot be changed by end users, every deployed device sharing the vulnerable firmware accepts the same authentication material.

The vulnerability was disclosed through CISA ICS Advisory ICSA-26-113-03 and impacts confidentiality, integrity, and availability of affected cameras. Milesight AIOT cameras are commonly deployed in industrial, retail, and smart-building environments, expanding the operational technology (OT) attack surface.

Critical Impact

Adjacent network attackers can authenticate to affected Milesight AIOT cameras using hard-coded firmware credentials, gaining full access to video feeds, configuration, and device functionality.

Affected Products

• Milesight AIOT camera firmware (specific firmware versions, per CISA ICSA-26-113-03)
• Milesight AIOT camera product line covered by the advisory
• Deployments exposed on adjacent (Layer 2 / local) networks

Discovery Timeline

• 2026-04-28 - CVE-2026-27785 published to the National Vulnerability Database (NVD)
• 2026-04-28 - CISA publishes ICS Advisory ICSA-26-113-03
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-27785

Vulnerability Analysis

The vulnerability stems from credentials embedded directly within the Milesight AIOT camera firmware image. An attacker on an adjacent network can submit these credentials to the camera's authentication interface and obtain authorized access without user interaction. The attack complexity is low, although exploitation requires the presence of attack prerequisites tied to network adjacency.

Successful authentication exposes administrative functions, including configuration changes, live video streaming, firmware operations, and account management. Because the credentials are static across affected firmware images, a single recovered secret enables access to any device running the same firmware.

Hard-coded credential flaws [CWE-798] are particularly damaging in IoT and OT environments. Cameras often connect to internal management VLANs alongside other industrial assets, allowing a compromised camera to serve as a pivot point into broader networks. The vulnerability impacts all three security properties: confidentiality through video and configuration disclosure, integrity through unauthorized configuration changes, and availability through device reboot or reconfiguration.

Root Cause

The root cause is the inclusion of static authentication material within the firmware binary. Developers embedded credentials for service, debug, or maintenance purposes without removing them from production builds. The credentials cannot be rotated or disabled by administrators through standard device configuration.

Attack Vector

The attack vector is adjacent network access. An attacker must reach the camera over the local broadcast domain, a shared VLAN, or a routed segment that the camera trusts. Once on the adjacent network, the attacker submits the hard-coded credentials to the camera's authentication endpoint (web management interface, RTSP service, or proprietary management protocol) and gains administrative control. No user interaction is required.

No verified public exploit code or proof-of-concept has been published. Refer to the CISA ICS Advisory ICSA-26-113-03 and the CSAF JSON file for technical scope and affected versions.

Detection Methods for CVE-2026-27785

Indicators of Compromise

• Successful authentication events on Milesight AIOT cameras from unexpected source addresses on adjacent networks
• Configuration changes, new user accounts, or firmware operations initiated outside scheduled maintenance windows
• Unexpected RTSP, HTTP, or proprietary management sessions originating from non-administrative hosts
• Outbound connections from camera devices to external infrastructure not associated with vendor cloud services

Detection Strategies

• Inventory all Milesight AIOT cameras and cross-reference firmware versions against the affected list in ICSA-26-113-03
• Capture and inspect authentication traffic to camera management interfaces for use of default or vendor-style usernames
• Deploy network IDS signatures that alert on management-protocol logins from hosts outside designated administrative subnets
• Correlate camera syslog or SNMP trap output with central log analytics to identify unauthorized administrative actions

Monitoring Recommendations

• Forward camera authentication and configuration logs to a centralized SIEM or data lake for longitudinal analysis
• Baseline expected source IPs, user agents, and session timing for camera management traffic and alert on deviations
• Monitor switch port and ARP tables for unexpected hosts on VLANs that contain camera infrastructure
• Track firmware version drift across the camera fleet and flag any device that fails to apply the vendor patch

How to Mitigate CVE-2026-27785

Immediate Actions Required

• Identify all Milesight AIOT cameras in the environment and determine firmware versions against the CISA advisory
• Apply vendor-supplied firmware updates from the Milesight firmware download page as soon as fixed versions are available
• Place camera management interfaces on isolated VLANs with strict access control lists limiting administrative reachability
• Block adjacent network access to camera management ports from general user and guest segments

Patch Information

Milesight provides firmware updates through its official firmware download portal. Administrators should consult CISA ICS Advisory ICSA-26-113-03 and the associated CSAF advisory data for the exact fixed firmware versions and applicability per model.

Workarounds

• Segment camera networks behind firewalls and restrict management protocols (HTTP/HTTPS, RTSP, SSH) to authorized jump hosts
• Disable any unused management services and protocols on each camera to reduce the exposed authentication surface
• Enforce 802.1X or MAC-based access control on switch ports connecting cameras to prevent rogue device pivots
• Monitor and alert on any authentication attempt to camera management interfaces from unapproved sources until patches are applied

# Example: restrict adjacent access to camera management VLAN (illustrative iptables rules on a gateway)
# Allow only the administrative subnet to reach camera management ports
iptables -A FORWARD -s 10.10.50.0/24 -d 10.20.30.0/24 -p tcp -m multiport --dports 80,443,554,22 -j ACCEPT
iptables -A FORWARD -d 10.20.30.0/24 -p tcp -m multiport --dports 80,443,554,22 -j DROP

# Log unauthorized attempts for SIEM ingestion
iptables -A FORWARD -d 10.20.30.0/24 -p tcp -m multiport --dports 80,443,554,22 \
  -j LOG --log-prefix "MILESIGHT-CAM-DENY: "