HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Stored XSS (CVE-2026-6824) in CP Plus 8‑Channel NVR Threatens Surveillance Systems Across Critical Infrastructure

A stored cross‑site scripting flaw (CVE‑2026‑6824) in CP Plus 8‑channel network video recorders allows malicious scripts to run in the browsers of authenticated users, exposing video feeds and system controls. The vulnerability scores 8.4 (High) on CVSS and affects devices deployed in commercial facilities, manufacturing, and emergency services, creating a supply‑chain risk for third‑party risk managers.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
cisa.gov

Stored XSS (CVE‑2026‑6824) in CP Plus 8‑Channel Network Video Recorder Endangers Critical Surveillance

What It Is — A stored cross‑site scripting (XSS) flaw (CVE‑2026‑6824) in the web interface of CP Plus 8‑channel NVRs allows an attacker to embed malicious JavaScript that runs in the browser of any authenticated user or administrator. The vulnerability stems from insufficient sanitization of user‑supplied input in several firmware modules.

Exploitability — Publicly disclosed; proof‑of‑concept scripts are available. CVSS v3.1 base score 8.4 (High). Exploitation is feasible against any reachable NVR running the vulnerable firmware.

Affected Products — CP‑Plus 8‑Ch. Network Video Recorder:

  • Hardware V1.0 (CP‑UNR‑108F1)
  • Web firmware V3.2.7.128806 (CP‑UNR‑108F1)
  • System firmware V4.001.00AT009.0.R (CP‑UNR‑108F1)

TPRM Impact — Organizations that embed CP Plus NVRs in commercial facilities, manufacturing plants, or emergency‑service sites face a supply‑chain risk: an attacker compromising a recorder can hijack video feeds, exfiltrate surveillance data, or disrupt operations, potentially cascading to partner networks.

Recommended Actions

  • Verify firmware version; upgrade to the vendor‑released patch or latest stable release.
  • If a patch is unavailable, disable external web access and enforce strict network segmentation.
  • Deploy a Web Application Firewall (WAF) rule to block script tags in NVR UI inputs.
  • Enforce multi‑factor authentication for all NVR admin accounts.
  • Conduct a focused security review of all deployed CP Plus devices and update incident‑response playbooks.

Source: CISA Advisory – ICSA‑26‑148‑05

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →