A critical security vulnerability in KMW CCTV security cameras could allow attackers to gain full, unauthorised access to live surveillance feeds and device settings, raising serious concerns for organisations that rely on these systems in sensitive environments.
The issue, tracked as CVE-2026-5386 and disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under advisory ICSA-26-148-06, carries a high CVSS v3 score of 9.1, indicating a severe risk.
Critical KMW CCTV Flaw
The vulnerability stems from an “unverified password change” flaw, which enables attackers to bypass authentication mechanisms and modify device credentials without proper validation. Once exploited, threat actors can potentially take complete control of affected cameras, access real-time video streams, and alter configurations without authorization.
According to CISA, the flaw impacts specific firmware versions of KMW CCTV devices, including KM-IP521 running IPCAM_V4.04.91.230307 and KM-IP421 running IPCAM_V4.04.53.210416.
These devices are widely deployed across critical infrastructure sectors, including commercial facilities, government services, transportation systems, financial services, and manufacturing environments, increasing the potential impact of exploitation.
KMW, headquartered in Romania, did not report any active exploitation of the vulnerability in the wild at the time of disclosure. However, the nature of the flaw makes it highly attractive to threat actors, particularly for espionage, surveillance, manipulation, or reconnaissance operations targeting critical infrastructure.
The vulnerability was reported to CISA by security researcher Souvik Kandar, highlighting the ongoing importance of independent security research in identifying weaknesses within operational technology (OT) environments. Given the global deployment of these devices, organizations using affected models are urged to take immediate action.
CISA recommends several mitigation measures to reduce exposure. Organizations should ensure that CCTV and control system devices are not directly accessible from the public internet and are placed behind properly configured firewalls.
Network segmentation is strongly advised to isolate surveillance systems from business networks, thereby limiting lateral movement in the event of compromise.
For environments requiring remote access, the use of secure methods, such as updated Virtual Private Networks (VPNs), is recommended. However, CISA notes that VPN security depends on proper configuration and timely patching. Additionally, organizations should conduct thorough risk assessments before applying defensive changes to avoid operational disruptions.
Beyond technical controls, CISA emphasizes the importance of user awareness in defending against social engineering attacks, which can serve as entry points into broader attack campaigns. Security teams are encouraged to monitor for suspicious activity and report incidents to CISA to support coordinated threat tracking.
This vulnerability underscores the growing risks associated with insecure IoT and surveillance systems in critical sectors, where compromised devices can lead not only to privacy violations but also to operational and national security implications.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
