Critical Unauthenticated RCE Disclosed in AVer PTC Camera Models
CISA published an ICS advisory for CVE-2026-40624, a critical flaw affecting multiple AVer PTC camera models, including the PTC500S, PTC115, PTC500+, and PTC115+. The vulnerability stems from improper input validation and can allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request. The issue is rated Critical, with a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3, and all listed versions of the affected products were reported as vulnerable.
CISA said it had no reports of public exploitation targeting the flaw at the time of publication, but urged organizations to reduce internet exposure of control system devices, isolate affected networks, and use secure remote access methods such as fully updated VPNs. Additional mitigation guidance calls for updating camera firmware to the latest available version and applying vendor-provided security patches as they become available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CISA publishes advisory for critical AVer PTC camera vulnerability
CISA published advisory ICSA-26-169-01 for CVE-2026-40624, a critical improper input validation flaw affecting AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras. The advisory said a remote, unauthenticated attacker could achieve arbitrary code execution via a specially crafted web request and noted no known public exploitation at the time of publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Hard-Coded Secrets Expose Milesight AIOT Cameras to Full Compromise
CISA added two high-severity vulnerabilities affecting specific **Milesight AIOT camera firmware** versions, exposing the devices through embedded secrets in the product. **`CVE-2026-27785`** is a **hard-coded credentials** flaw (`CWE-798`) that can allow unauthorized access without privileges or user interaction, with impact spanning confidentiality, integrity, and availability. The issue was listed with a CVSS v3.1 vector of `AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating attackers on an adjacent network could exploit the weakness to take control of affected cameras. CISA also published **`CVE-2026-32644`**, a **hard-coded cryptographic key** issue (`CWE-321`) tied to SSL certificates that use default private keys in Milesight camera firmware. That flaw carries a critical CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, meaning it is remotely exploitable over the network and could enable full compromise of device communications and operations. The disclosures were accompanied by CISA advisory and CSAF references, as well as vendor firmware download links for affected Milesight products.
Apr 28, 2026
Vulnerabilities in Automated Logic WebCTRL and ICAM365 CCTV Cameras
CISA released a set of six Industrial Control Systems (ICS) advisories, highlighting multiple vulnerabilities in widely used industrial and surveillance products. Among these, the Automated Logic WebCTRL Premium Server and Carrier i-Vu platforms were found to be susceptible to open redirect and cross-site scripting vulnerabilities, which could allow remote attackers to redirect users to malicious websites or execute unauthorized scripts. The open redirect issue, tracked as CVE-2024-8527, affects several versions of both Automated Logic WebCTRL and Carrier i-Vu, with a high CVSS score indicating significant risk if exploited. Additionally, CISA detailed critical vulnerabilities in ICAM365 CCTV camera models P201 and QC021, specifically missing authentication for critical functions. These flaws could enable attackers to gain unauthorized access to camera video streams and configuration data via unauthenticated ONVIF and RTSP services. Both advisories urge administrators to review technical details and apply recommended mitigations to reduce the risk of exploitation in operational environments.
Mar 21, 2026
Unauthenticated Root Command Injection in Vivotek Legacy Camera Firmware (CVE-2026-22755)
Akamai’s Security Intelligence and Response Team (SIRT) disclosed a **critical remote command injection** vulnerability in *Vivotek* legacy IP camera firmware tracked as **CVE-2026-22755** (reported **CVSS 9.3**). The flaw enables **unauthenticated attackers to execute arbitrary commands as `root`** by abusing the camera’s file upload handling in the `upload_map.cgi` CGI endpoint, where a user-controlled filename is incorporated into a formatted string and then passed to a shell via `system()` without proper sanitization, allowing shell metacharacter injection (e.g., `;`). Technical reporting indicates exploitation hinges on crafting an upload that satisfies several implementation constraints (e.g., upload size limits and firmware validation behaviors) and invoking the upload path in a way that preserves required environment variables; researchers demonstrated command execution by embedding commands in the filename and observing `uid=0` output. The issue reportedly impacts **dozens of models (36 cited)** across multiple Vivotek product lines and is amplified by findings that some affected legacy devices may ship or operate **without passwords set by default**, increasing the likelihood of opportunistic compromise and downstream abuse (e.g., botnet recruitment and DDoS activity) in environments still running legacy surveillance infrastructure.
Mar 21, 2026