Critical

Unauthenticated Password Reset in KMW CCTV Security Cameras

IdentifiersCVE-2026-5386CWE-620· Unverified Password Change

CVE-2026-5386 is a critical vulnerability in KMW CCTV security cameras that allows an unauthenticated remote attacker to reset the administrator password to a known value. The issue is described as an unverified password change weakness: the affected devices accept crafted password-change requests without properly validating the requester’s identity or authorization. This enables takeover of the administrative account and full control of the device. Reported affected products include KMW KM-IP521 running firmware IPCAM_V4.04.91.230307 and KM-IP421 running firmware IPCAM_V4.04.53.210416.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation gives an attacker full administrative access to the affected camera. From there, the attacker can view live camera feeds, modify device settings and surveillance configuration, potentially disable or disrupt monitoring functions, and in some reporting alter logs to conceal activity. In operational environments, this can enable surveillance bypass, espionage, unauthorized monitoring, and service disruption.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, remove affected cameras from direct internet exposure, place them behind firewalls or on isolated network segments, and restrict remote administration to secure channels such as updated VPNs. Segment surveillance infrastructure from general-purpose networks, monitor affected devices for suspicious password changes or anomalous access, and follow defense-in-depth and incident-response practices recommended by CISA.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fixed firmware for affected KMW devices as soon as possible. The content indicates patched firmware is available for the affected models. Administrators should obtain and install the official firmware updates for KM-IP521 and KM-IP421. The available reporting notes that the KM-IP421 update may temporarily remove cloud authorization functionality, which should be accounted for during change planning.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

KMWCctv Security Camerashardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Jun 2, 2026

Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds

A critical authentication bypass / unauthorized password change vulnerability in KMW CCTV cameras that can let attackers remotely change credentials, gain administrative access, view live feeds, alter settings, or disable surveillance functions.

security online infoNews

Jun 2, 2026

KMW CCTV Vulnerability: Password Reset Flaw

A critical unauthenticated password reset vulnerability in KMW CCTV devices that allows remote attackers to reset administrative credentials, gain full administrative access, view camera feeds, modify settings, and alter logs.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-5386

NVD

nvd.nist.gov/vuln/detail/CVE-2026-5386

MITRE CWE · CWE-620

Unverified Password Change

github.com

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json

main.kmw.ro

main.kmw.ro/pub/Firmware/521_421.zip

cisa.gov

cisa.gov/news-events/ics-advisories/icsa-26-148-06