PatchSiren cyber security CVE debrief
CVE-2026-7766 Kenik CVE debrief
CVE-2026-7766 is a path traversal vulnerability in the Kenik Camera management Panel that allows unauthenticated attackers to read arbitrary files from the server via crafted GET requests. The vulnerability affects KG-5260xxxx-IL-(G)2 cameras and other Kenik camera products. The issue was resolved in version 2026-04-23 for the KG-5260xxxx-IL-(G)2 camera series, with remaining products patched in version 2025-04-21. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
- Vendor
- Kenik
- Product
- KG-5230TAS-IL-3
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations deploying Kenik IP cameras, particularly KG-5260xxxx-IL-(G)2 models, should prioritize patching. Security teams managing IoT/camera networks, facilities administrators with surveillance infrastructure, and MSPs supporting physical security deployments are affected. The unauthenticated nature and file read capability create significant exposure for credential theft, configuration extraction, and lateral movement preparation.
Technical summary
The Kenik Camera management Panel fails to properly sanitize file paths in GET requests, enabling directory traversal attacks. An unauthenticated remote attacker can exploit this weakness by sending specially crafted requests containing path traversal sequences to access sensitive files outside the intended directory scope. The vulnerability permits arbitrary file read operations on the underlying server filesystem. The attack requires network adjacency but no authentication credentials.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade KG-5260xxxx-IL-(G)2 cameras to firmware version 2026-04-23 or later
- Upgrade all other affected Kenik camera products to firmware version 2025-04-21 or later
- Restrict network access to Kenik Camera management Panel interfaces to trusted administrative segments
- Monitor for anomalous GET requests containing path traversal sequences (../, ..%2f, etc.) directed at camera management endpoints
- Review access logs for unauthorized file access attempts
- Implement network segmentation to isolate camera management interfaces from untrusted networks
Evidence notes
The CVE description confirms unauthenticated path traversal with arbitrary file read capability. CVSS 4.0 vector indicates attack vector from adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), and high confidentiality impact on the vulnerable system (VC:H) and subsequent systems (SC:H). The CERT.PL reference provides authoritative vendor disclosure. Vendor identification remains under review with confidence marked as unknown.
Official resources
-
CVE-2026-7766 CVE record
CVE.org
-
CVE-2026-7766 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-25