PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32644 Raw CVE debrief

CVE-2026-32644 covers Milesight AIOT camera firmware versions that use SSL certificates with default private keys. CISA published the advisory on 2026-04-23 and lists a wide set of affected camera families. The core risk is that TLS/SSL trust for impacted devices can no longer be assumed to be unique to each installation, which can undermine device identity and expose encrypted management or service traffic to impersonation risk. Milesight’s documented mitigation is to update affected devices to the latest firmware versions. Because the advisory spans many product lines and multiple version tracks, defenders should validate the exact model/firmware pairing in inventory and prioritize any internet-exposed or remotely managed cameras first.

Vendor
Raw
Product
Milesight MS-Cxx63-PD <=51.7.0.77-r12 MS-Cxx64-xPD MS-Cxx73-xPD MS-Cxx75-xxPD MS-Cxx83-xPD MS-Cxx74-PA <=3x.8.0.3-r11 MS-C8477-HPG1 <=63.8.0.4-r3 MS-C8477-PC <=48.8.0.4-r3 MS-C5321-FPE <=62.8.0.4-r5 MS-Cxx72-xxxPE <=61.8.0.5-r2 MS-Cxx62-xxxPE MS-Cxx52-xxxPE MS-Cxx66-xxxPE MS-Cxx66-xxxGPE MS-Cxx61-xxxPE MS-Cxx67-xxxPE MS-Cxx71-xxxPE MS-Cxx41-xxxPE MS-Cxx76-PE MS-Cxx65-PE MS-Cxx66-xxxG1 <=63.8.0.5-r3 MS-Cxx62-xxxG1 MS-Cxx72-xxxG1 MS-CQxx31-xxxG1 <=CQ_63.8.0.5-r1 MS-CQxx68-xxxG1 MS-CQxx72-xxxG1 MS-Nxxxx-NxE <=7x.9.0.19-r5 MS-Nxxxx-xxC MS-Nxxxx-xxE MS-Nxxxx-xxG MS-Nxxxx-xxH MS-Nxxxx-xxT PMC8266-FPE <=PO_61.8.0.4_LPR PMC8266-FGPE PM3322-E <=PI_61.8.0.3_LPR-r3 TS4466-X4RIPG1 <=T_63.8.0.4_LPR-r3 TS5366-X12RIPG1 TS8266-X4RIPG1 TS4466-X4RIVPG1 TS4466-RFIVPG1 TS8266-X4RIVPG1 TS8266-RFIVPG1 TS4466-X4RIWG1 TS8266-X4RIWG1 TS5510-GVH <=T_47.8.0.4_LPR-r7 TS5510-GH <=T_47.8.0.4_LPR-r6 TS5511-GVH TS2966-X12TPE <=T_61.8.0.4_LPR-r3 TS4466-X4RPE TS5366-X12PE TS8266-X4PE TS2966-X12TVPE TS4466-X4RVPE TS5366-X12VPE TS8266-X4VPE TS4441-X36RPE TS4441-X36RE TS4466-X4RWE TS8266-X4WE MS-C2964-RFLPC <=T_45.8.0.3-r9 MS-C2972-RFLPC MS-C2966-RFLWPC TS2866-X4TPC
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-04-23
Advisory published
2026-04-23
Advisory updated
2026-04-23

Who should care

Security teams responsible for Milesight camera fleets, OT/physical security integrators, facilities teams, and network defenders who manage remotely accessible camera management interfaces or certificates.

Technical summary

The advisory states that specific firmware versions of Milesight AIOT cameras ship with SSL certificates that use default private keys. That means the key material is not unique per device, which weakens the security boundary normally provided by TLS certificates. CISA assigns CVSS 3.1 9.8 and SSVCv2 E:P/A:Y, indicating high urgency and likely exploitable conditions once the affected firmware is present. The vendor remediation is firmware upgrade to the fixed releases listed for each product family.

Defensive priority

High

Recommended defensive actions

  • Identify all Milesight cameras and compare installed firmware against the affected versions listed in the advisory.
  • Prioritize updates for internet-exposed, remotely administered, or otherwise high-trust camera deployments.
  • Upgrade affected devices to the vendor-fixed firmware versions noted in the advisory.
  • Confirm certificate and device identity handling after upgrading, especially for systems that pin or trust device certificates.
  • Review network exposure for camera management interfaces and restrict access to trusted administrative networks.
  • Document any affected models and firmware exceptions so replacement or remediation can be tracked to closure.

Evidence notes

Source corpus states: 'Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.' The advisory is CISA ICSA-26-113-03, first published 2026-04-23. The supplied remediation text says Milesight advises updating to the latest firmware from its firmware download page, and lists model-specific fixed versions for multiple product families. No KEV entry is present in the supplied data.

Official resources

Public advisory from CISA published on 2026-04-23; no known exploitation status or KEV listing is included in the supplied corpus.