PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-20766 Raw CVE debrief

CVE-2026-20766 is a high-severity Milesight camera firmware issue involving an out-of-bounds memory access condition in specific firmware versions. CISA published the advisory on 2026-04-23 and rated the issue with SSVC v2 as exploitation potentially possible and automatable, while the CVSS v3.1 vector reflects network reachability with required user interaction and high confidentiality, integrity, and availability impact. The safest response is to identify exposed Milesight camera deployments, confirm whether affected models and firmware are in use, and apply the vendor firmware updates listed in the advisory.

Vendor
Raw
Product
Milesight MS-Cxx63-PD <=51.7.0.77-r12 MS-Cxx64-xPD MS-Cxx73-xPD MS-Cxx75-xxPD MS-Cxx83-xPD MS-Cxx74-PA <=3x.8.0.3-r11 MS-C8477-HPG1 <=63.8.0.4-r3 MS-C8477-PC <=48.8.0.4-r3 MS-C5321-FPE <=62.8.0.4-r5 MS-Cxx72-xxxPE <=61.8.0.5-r2 MS-Cxx62-xxxPE MS-Cxx52-xxxPE MS-Cxx66-xxxPE MS-Cxx66-xxxGPE MS-Cxx61-xxxPE MS-Cxx67-xxxPE MS-Cxx71-xxxPE MS-Cxx41-xxxPE MS-Cxx76-PE MS-Cxx65-PE MS-Cxx66-xxxG1 <=63.8.0.5-r3 MS-Cxx62-xxxG1 MS-Cxx72-xxxG1 MS-CQxx31-xxxG1 <=CQ_63.8.0.5-r1 MS-CQxx68-xxxG1 MS-CQxx72-xxxG1 MS-Nxxxx-NxE <=7x.9.0.19-r5 MS-Nxxxx-xxC MS-Nxxxx-xxE MS-Nxxxx-xxG MS-Nxxxx-xxH MS-Nxxxx-xxT PMC8266-FPE <=PO_61.8.0.4_LPR PMC8266-FGPE PM3322-E <=PI_61.8.0.3_LPR-r3 TS4466-X4RIPG1 <=T_63.8.0.4_LPR-r3 TS5366-X12RIPG1 TS8266-X4RIPG1 TS4466-X4RIVPG1 TS4466-RFIVPG1 TS8266-X4RIVPG1 TS8266-RFIVPG1 TS4466-X4RIWG1 TS8266-X4RIWG1 TS5510-GVH <=T_47.8.0.4_LPR-r7 TS5510-GH <=T_47.8.0.4_LPR-r6 TS5511-GVH TS2966-X12TPE <=T_61.8.0.4_LPR-r3 TS4466-X4RPE TS5366-X12PE TS8266-X4PE TS2966-X12TVPE TS4466-X4RVPE TS5366-X12VPE TS8266-X4VPE TS4441-X36RPE TS4441-X36RE TS4466-X4RWE TS8266-X4WE MS-C2964-RFLPC <=T_45.8.0.3-r9 MS-C2972-RFLPC MS-C2966-RFLWPC TS2866-X4TPC
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-04-23
Advisory published
2026-04-23
Advisory updated
2026-04-23

Who should care

Security and operations teams responsible for Milesight AIoT cameras and related deployments, especially environments using the affected MS-Cxx, MS-CQxx, MS-Nxxxx, PMC8266, PM3322, TS, and MS-C29xx product lines listed in the advisory. This is most important for organizations that expose camera management interfaces, rely on these devices in OT or critical environments, or have limited ability to tolerate device instability or compromise.

Technical summary

The advisory describes an out-of-bounds memory access vulnerability in specific Milesight camera firmware versions. The CISA CSAF entry does not provide a deeper root-cause narrative in the supplied corpus, but it does map the issue to CWE-122 and lists a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That combination indicates a remotely reachable attack surface with user interaction required and potentially severe impact if a vulnerable device is triggered. The advisory links to vendor firmware updates for affected product families.

Defensive priority

High

Recommended defensive actions

  • Inventory Milesight camera models and firmware versions across all sites, including remote and OT-connected deployments.
  • Compare installed firmware against the affected versions listed in the CISA advisory and vendor remediation entries.
  • Apply the vendor-provided firmware updates from Milesight's firmware download page as soon as practical.
  • Prioritize internet-exposed, management-accessible, and operationally critical camera systems.
  • If immediate patching is not possible, restrict administrative access, reduce exposure to untrusted networks, and monitor for abnormal device behavior or crashes.
  • Validate that remediation was successful by rechecking firmware versions after update.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory source item for ICSA-26-113-03 / CVE-2026-20766. The corpus states an out-of-bounds memory access vulnerability in specific Milesight AIoT camera firmware versions, maps the weakness to CWE-122, assigns CVSS v3.1 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), and provides vendor remediation entries listing affected product families and fixed firmware versions. The supplied corpus also marks the product confidence as low and needsReview=true, so product-version coverage should be validated against the vendor advisory and firmware pages before operational decisions.

Official resources

Publicly disclosed by CISA in advisory ICSA-26-113-03 on 2026-04-23. The supplied corpus shows an initial publication revision and does not include KEV listing or ransomware association.