Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds

A critical security flaw in KMW CCTV security cameras could allow attackers to gain full, unauthorized access to live camera feeds and device settings.

The vulnerability, tracked as CVE-2026-5386, has been assigned a high CVSS v3 score of 9.1, highlighting its severe impact on organizations relying on these surveillance systems.

The issue stems from an “unverified password change” weakness in affected devices, which allows remote attackers to modify authentication credentials without proper validation.

Once exploited, threat actors can take control of the camera, view real-time video streams, alter configurations, or potentially turn off surveillance operations altogether.

This creates significant security risks, particularly in sensitive environments where CCTV systems play a critical role in monitoring and safety.

KMW CCTV Vulnerability 

The vulnerability impacts specific KMW CCTV models, including KM-IP521 running firmware IPCAM_V4.04.91.230307 and KM-IP421 with firmware IPCAM_V4.04.53.210416.

These devices are deployed globally across multiple critical infrastructure sectors, including commercial facilities, government institutions, financial services, transportation systems, and manufacturing environments.

Given their widespread usage, exploitation could have far-reaching consequences, including surveillance bypass, espionage, and operational disruption.

Although there are currently no confirmed reports of active exploitation in the wild, the vulnerability’s severity makes it a high-priority target for threat actors, especially those focusing on IoT and industrial control system weaknesses.

From a technical perspective, the flaw allows attackers to bypass authentication controls by sending crafted requests that trigger password changes without verifying the requester’s identity.

For example, an attacker on the same network, or one who exposes devices to the internet, could issue unauthorized commands to reset credentials and gain administrative access within seconds.

Security researcher Souvik Kandar has been credited with discovering and reporting the flaw to CISA. This type of attack does not require advanced skills, making it particularly dangerous in poorly secured environments.

According to a recent CISA advisory (ICSA-26-148-06), organizations should reduce exposure by keeping devices off the public internet and behind firewalls or isolated networks.

Remote access should be enabled only through secure channels, such as updated VPNs, and organizations should ensure that all connected systems follow strict security practices.

Regular risk assessments and impact analysis are also advised before implementing changes.

Additionally, organizations are encouraged to monitor for suspicious activity, follow incident response procedures, and report anomalies to relevant authorities for correlation and threat tracking.

Implementing defense-in-depth strategies and adhering to ICS cybersecurity guidelines can significantly reduce the risk of exploitation.

As surveillance infrastructure increasingly becomes a target for cyberattacks, this vulnerability highlights the urgent need for stronger security controls in IoT-based camera systems.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP