PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32649 Raw CVE debrief

CVE-2026-32649 is a command injection issue in the web server of specific Milesight camera firmware. CISA’s advisory (ICSA-26-113-03) was published on 2026-04-23 and identifies affected device families, with vendor firmware updates provided as the primary remediation. The supplied advisory also assigns SSVCv2 values of Exploitation: Possible and Automatable: Yes.

Vendor
Raw
Product
Milesight MS-Cxx63-PD <=51.7.0.77-r12 MS-Cxx64-xPD MS-Cxx73-xPD MS-Cxx75-xxPD MS-Cxx83-xPD MS-Cxx74-PA <=3x.8.0.3-r11 MS-C8477-HPG1 <=63.8.0.4-r3 MS-C8477-PC <=48.8.0.4-r3 MS-C5321-FPE <=62.8.0.4-r5 MS-Cxx72-xxxPE <=61.8.0.5-r2 MS-Cxx62-xxxPE MS-Cxx52-xxxPE MS-Cxx66-xxxPE MS-Cxx66-xxxGPE MS-Cxx61-xxxPE MS-Cxx67-xxxPE MS-Cxx71-xxxPE MS-Cxx41-xxxPE MS-Cxx76-PE MS-Cxx65-PE MS-Cxx66-xxxG1 <=63.8.0.5-r3 MS-Cxx62-xxxG1 MS-Cxx72-xxxG1 MS-CQxx31-xxxG1 <=CQ_63.8.0.5-r1 MS-CQxx68-xxxG1 MS-CQxx72-xxxG1 MS-Nxxxx-NxE <=7x.9.0.19-r5 MS-Nxxxx-xxC MS-Nxxxx-xxE MS-Nxxxx-xxG MS-Nxxxx-xxH MS-Nxxxx-xxT PMC8266-FPE <=PO_61.8.0.4_LPR PMC8266-FGPE PM3322-E <=PI_61.8.0.3_LPR-r3 TS4466-X4RIPG1 <=T_63.8.0.4_LPR-r3 TS5366-X12RIPG1 TS8266-X4RIPG1 TS4466-X4RIVPG1 TS4466-RFIVPG1 TS8266-X4RIVPG1 TS8266-RFIVPG1 TS4466-X4RIWG1 TS8266-X4RIWG1 TS5510-GVH <=T_47.8.0.4_LPR-r7 TS5510-GH <=T_47.8.0.4_LPR-r6 TS5511-GVH TS2966-X12TPE <=T_61.8.0.4_LPR-r3 TS4466-X4RPE TS5366-X12PE TS8266-X4PE TS2966-X12TVPE TS4466-X4RVPE TS5366-X12VPE TS8266-X4VPE TS4441-X36RPE TS4441-X36RE TS4466-X4RWE TS8266-X4WE MS-C2964-RFLPC <=T_45.8.0.3-r9 MS-C2972-RFLPC MS-C2966-RFLWPC TS2866-X4TPC
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-04-23
Advisory published
2026-04-23
Advisory updated
2026-04-23

Who should care

Organizations running Milesight cameras, especially security, facilities, and industrial environments that expose camera management interfaces or rely on centralized device administration. Teams responsible for firmware maintenance, network segmentation, and edge-device monitoring should prioritize review.

Technical summary

The source advisory describes a web server command injection vulnerability affecting specific Milesight camera firmware versions. The supplied CVSS v3.1 vector is AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H, indicating network reachability but requiring high privileges and user interaction in the modeled scenario. CISA’s CSAF lists multiple affected product families and points to Milesight firmware updates as the fix path. No exploitation details, public proof-of-concept, or KEV listing are included in the supplied corpus.

Defensive priority

Medium-to-high operational priority. The CVSS score is 6.8 (Medium), but the vulnerability affects device web management surfaces in deployed camera fleets, so exposed or widely managed environments should treat it as time-sensitive.

Recommended defensive actions

  • Inventory Milesight camera models and firmware versions against the affected product list in the CISA advisory.
  • Apply the vendor-fixed firmware versions referenced in the advisory and verify the update completed successfully.
  • If management access is exposed, restrict it to trusted administrative networks or VPN-only access.
  • Review administrative accounts and access controls for camera management interfaces.
  • Monitor camera and management-network logs for unexpected web-server activity, configuration changes, or anomalous administrative actions.
  • Follow CISA ICS recommended practices and defense-in-depth guidance for segmentation, least privilege, and asset monitoring.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory for ICSA-26-113-03 / CVE-2026-32649, published and modified on 2026-04-23T06:00:00Z. The corpus states that a command injection vulnerability exists in the web server of specific Milesight camera firmware versions and that Milesight advises updating to the latest firmware from its support site. The supplied enrichment marks the issue as not in KEV and provides SSVCv2 context of Exploitation: Possible and Automatable: Yes.

Official resources

CISA published the advisory on 2026-04-23. The supplied corpus does not list the vulnerability in CISA KEV, and no public exploit or ransomware linkage is included in the source material.