Critical Unauthenticated Password Reset in KMW CCTV Security Cameras (CVE‑2026‑5386) Enables Full Camera Takeover
What It Is – KMW’s IP‑based CCTV cameras contain a critical unauthenticated password‑reset flaw (CVE‑2026‑5386). An attacker can remotely reset the administrator password to a known value, gaining unrestricted access to live video streams and device settings.
Exploitability – The vulnerability is publicly disclosed, has a CVSS v3 base score of 9.1 (Critical), and can be exploited without any credentials. No public PoC has been released, but the attack surface is trivial (exposed HTTP/HTTPS endpoints).
Affected Products –
- KM‑IP521 – firmware IPCAM_V4.04.91.230307
- KM‑IP421 – firmware IPCAM_V4.04.53.210416
Both models are listed as known_affected by the vendor.
TPRM Impact –
- Unauthorized viewing of surveillance footage can expose proprietary processes, personal data, and physical security controls across multiple sectors.
- Attackers can alter camera configurations, disable alerts, or embed malicious firmware, creating a foothold for broader supply‑chain compromise.
Recommended Actions –
- Deploy KMW’s firmware update (available at https://main.kmw.ro/pub/Firmware/521_421.zip) immediately on all affected devices.
- After updating, enforce a unique, strong administrator password and disable default credentials.
- Segregate CCTV networks from corporate IT and enforce strict firewall rules (allow only required management IPs).
- Enable continuous monitoring of camera logs for anomalous login or configuration changes.
- Validate that any third‑party cloud integration is re‑authenticated post‑patch.
Source: CISA Advisory – ICSA‑26‑148‑06