PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27785 Raw CVE debrief

CISA’s advisory ICSA-26-113-03 says specific Milesight AIOT camera firmware versions contain hard-coded credentials. Milesight recommends updating affected devices to the fixed firmware releases listed in the advisory; the supplied enrichment does not include a KEV entry.

Vendor
Raw
Product
Milesight MS-Cxx63-PD <=51.7.0.77-r12 MS-Cxx64-xPD MS-Cxx73-xPD MS-Cxx75-xxPD MS-Cxx83-xPD MS-Cxx74-PA <=3x.8.0.3-r11 MS-C8477-HPG1 <=63.8.0.4-r3 MS-C8477-PC <=48.8.0.4-r3 MS-C5321-FPE <=62.8.0.4-r5 MS-Cxx72-xxxPE <=61.8.0.5-r2 MS-Cxx62-xxxPE MS-Cxx52-xxxPE MS-Cxx66-xxxPE MS-Cxx66-xxxGPE MS-Cxx61-xxxPE MS-Cxx67-xxxPE MS-Cxx71-xxxPE MS-Cxx41-xxxPE MS-Cxx76-PE MS-Cxx65-PE MS-Cxx66-xxxG1 <=63.8.0.5-r3 MS-Cxx62-xxxG1 MS-Cxx72-xxxG1 MS-CQxx31-xxxG1 <=CQ_63.8.0.5-r1 MS-CQxx68-xxxG1 MS-CQxx72-xxxG1 MS-Nxxxx-NxE <=7x.9.0.19-r5 MS-Nxxxx-xxC MS-Nxxxx-xxE MS-Nxxxx-xxG MS-Nxxxx-xxH MS-Nxxxx-xxT PMC8266-FPE <=PO_61.8.0.4_LPR PMC8266-FGPE PM3322-E <=PI_61.8.0.3_LPR-r3 TS4466-X4RIPG1 <=T_63.8.0.4_LPR-r3 TS5366-X12RIPG1 TS8266-X4RIPG1 TS4466-X4RIVPG1 TS4466-RFIVPG1 TS8266-X4RIVPG1 TS8266-RFIVPG1 TS4466-X4RIWG1 TS8266-X4RIWG1 TS5510-GVH <=T_47.8.0.4_LPR-r7 TS5510-GH <=T_47.8.0.4_LPR-r6 TS5511-GVH TS2966-X12TPE <=T_61.8.0.4_LPR-r3 TS4466-X4RPE TS5366-X12PE TS8266-X4PE TS2966-X12TVPE TS4466-X4RVPE TS5366-X12VPE TS8266-X4VPE TS4441-X36RPE TS4441-X36RE TS4466-X4RWE TS8266-X4WE MS-C2964-RFLPC <=T_45.8.0.3-r9 MS-C2972-RFLPC MS-C2966-RFLWPC TS2866-X4TPC
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-04-23
Advisory published
2026-04-23
Advisory updated
2026-04-23

Who should care

Milesight camera operators, physical security and OT/ICS teams, vulnerability management, and integrators responsible for affected deployments.

Technical summary

The issue is a hard-coded credentials weakness (CWE-798) in specific Milesight AIOT camera firmware branches spanning many product families. The supplied advisory lists model-specific firmware versions that are affected and provides vendor-fixed releases; the CVSS vector is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.8 (High).

Defensive priority

High

Recommended defensive actions

  • Inventory Milesight camera models and firmware versions, then compare them to the affected and fixed versions listed in CISA’s advisory.
  • Prioritize firmware upgrades to the vendor-fixed releases or the latest firmware available from Milesight’s support portal.
  • Review authentication exposure on management interfaces and remove or rotate any credentials that may have been embedded, reused, or shared across devices.
  • Restrict access to camera administration networks with segmentation, VPN, and least-privilege controls, especially where adjacent-network access is possible.
  • Check logs and device management telemetry for unexpected logins or configuration changes, and validate that patched devices remain on approved firmware after maintenance.
  • Use the CISA advisory and vendor firmware guidance as the source of truth before rollout, since the source corpus marks the product mapping as low confidence and needs review.

Evidence notes

Primary source is CISA CSAF advisory ICSA-26-113-03, published 2026-04-23T06:00:00Z and modified the same time in the supplied corpus. The corpus states the problem is hard-coded credentials in specific Milesight AIOT camera firmware versions and provides vendor remediation to update to fixed firmware. The supplied enrichment does not mark this as KEV, and no public exploitation details are included in the corpus. The source mapping is marked low confidence/needs review, so product scope and fixed-version matching should be validated against the vendor firmware page.

Official resources

Publicly disclosed by CISA in advisory ICSA-26-113-03 on 2026-04-23. The supplied enrichment does not include KEV listing or a known ransomware-campaign flag.