CVE-2026-5386 Overview
CVE-2026-5386 is an unauthenticated password reset vulnerability affecting KMW CCTV security cameras. The flaw allows a remote attacker to reset the administrator password to a known value over the network without credentials or user interaction. Successful exploitation grants full administrative access to camera feeds, configuration, and management interfaces. The weakness is tracked under CWE-620: Unverified Password Change and is detailed in the CISA ICS Advisory ICSA-26-148-06.
Critical Impact
Remote, unauthenticated attackers can take over affected KMW CCTV cameras, view live and recorded video, and modify device settings.
Affected Products
- KMW CCTV Security Cameras (see KMW Firmware Download)
- Refer to CISA ICS Advisory ICSA-26-148-06 for the full list of impacted models and firmware versions
- Refer to the CSAF advisory document for machine-readable product data
Discovery Timeline
- 2026-05-29 - CVE-2026-5386 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-5386
Vulnerability Analysis
The vulnerability resides in the password change workflow of the affected KMW CCTV cameras. The device exposes a password change function that does not verify the requester's identity before applying the change. An attacker reaching the camera over the network can invoke this function to overwrite the administrator credential with a value they control. After the reset, the attacker authenticates as the administrator and gains full control over the device.
The issue is classified as CWE-620: Unverified Password Change. Because the camera does not require the current password or any other proof of authorization, the attack collapses into a single unauthenticated HTTP or device-protocol request.
Root Cause
The root cause is missing authentication on the password change endpoint. The firmware accepts a new administrator password without validating session state, the prior password, or any anti-CSRF token. This design flaw places the trust boundary in the wrong place and treats password reset as an unauthenticated administrative function.
Attack Vector
The attack is network-reachable and requires no privileges or user interaction. Cameras exposed to the internet or to a reachable network segment can be compromised directly. The attacker sends a crafted request to the password reset function, sets a known administrator password, then logs in to access video streams, modify recording behavior, or pivot deeper into the operational technology (OT) network. The vulnerability does not directly affect availability, but loss of confidentiality and integrity of the device is complete.
No verified proof-of-concept code has been published. Technical details are referenced in the CSAF advisory file.
Detection Methods for CVE-2026-5386
Indicators of Compromise
- Unexpected administrator password changes on KMW CCTV devices outside of approved maintenance windows
- Successful administrator logins from unfamiliar source IP addresses, especially external or non-management networks
- New or modified device configuration entries such as RTSP stream destinations, NTP servers, or firmware update URLs
- Anomalous outbound connections from the camera to attacker-controlled infrastructure
Detection Strategies
- Monitor HTTP and device-protocol traffic to camera management interfaces for requests targeting password change endpoints from non-management sources
- Alert on authentication events that occur immediately after a password change request from the same client IP
- Baseline normal administrative activity on the camera management VLAN and flag deviations
Monitoring Recommendations
- Centralize camera and network device logs in a SIEM and correlate password change events with subsequent administrative actions
- Inspect north-south and east-west traffic to OT segments hosting cameras for unsolicited connections from corporate or external networks
- Track firmware versions and device inventories continuously so that unpatched cameras are flagged for remediation
How to Mitigate CVE-2026-5386
Immediate Actions Required
- Remove affected KMW CCTV cameras from direct internet exposure and place them on isolated management VLANs
- Restrict access to the camera management interface to a small set of administrative hosts using firewall or ACL rules
- Rotate administrator passwords and audit all current accounts on affected devices after isolation
- Review camera logs and network telemetry for signs of prior exploitation
Patch Information
KMW has published updated firmware referenced in the KMW Firmware Download bundle. Review the CISA ICS Advisory ICSA-26-148-06 for vendor remediation guidance and apply the firmware version identified for your model. Validate firmware integrity before deployment and follow vendor procedures for staged rollout.
Workarounds
- Block inbound access to camera HTTP and device-protocol ports from untrusted networks at the perimeter
- Place cameras behind a VPN or jump host so that management interfaces are not reachable from general user networks
- Disable any remote management or cloud relay features on the camera that are not strictly required
- Segment cameras into a dedicated OT zone with strict egress filtering to prevent lateral movement if a device is compromised
# Example: restrict camera management to a single admin subnet using iptables on an upstream gateway
iptables -A FORWARD -s 10.10.50.0/24 -d 10.20.30.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.10.50.0/24 -d 10.20.30.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.20.30.0/24 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 10.20.30.0/24 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
