Hard-Coded Credentials Found in Milesight AIOT Camera Firmware
CVE-2026-27785

7.7HIGH

Key Information:

Vendor: Milesight
Status: Ms-cxx63-pd; Ms-cxx64-xpd; Ms-cxx73-xpd; Ms-cxx75-xxpd
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-27785?

Certain versions of Milesight AIOT camera firmware have been discovered to contain hard-coded credentials, posing significant security risks. This vulnerability allows unauthorized access to device functionalities, potentially exposing sensitive information and compromising user privacy. It is crucial for users to update to the latest firmware version to mitigate this issue and enhance the overall security posture of their devices.

Affected Version(s)

MS-C2964-RFLPC 0

MS-C2966-RFLWPC 0

MS-C2966-X12RLPC 0

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

https://www.milesight.com/support/download/firmware

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Souvik Kandar reported these vulnerabilities to CISA

CVE-2026-27785 Data

JSON