HarborGuard / CVE
Back to search
CRITICALCVE-2026-5386Published Modified CNA icscert

CVE-2026-5386: KMW CCTV Security Cameras Unverified Password Change

The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unverified password change flaw in KMW KM-IP521 and KM-IP421 CCTV cameras lets a remote attacker reset the administrator password to a known value without supplying any credentials. The bug is reachable over the network with no authentication, no user interaction, and low attack complexity, after which the attacker has full administrative control of the camera feeds and configuration. No fix is published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. Upstream ICS-CERT feeds are ingested within minutes of publication and matched against KMW camera firmware images and any custom-built images that bundle the affected versions in customer registries and CI pipelines.

Available
Triage

Triage scoring is available with the published CVSS 9.1 critical rating, then re-weighted against each customer organization's compliance policy (for example, externally exposed device firmware is escalated). Findings are routed to the appropriate inbox inside each customer org based on workload ownership.

Available
Patch

No upstream fix is currently published. HarborGuard re-checks the ICS-CERT advisory on every ingest cycle and will make a patched firmware rebuild available the moment KMW ships an update, with auto-remediation customers receiving a rebuilt image, a regression test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the camera's management interface over the network (AV:N).

  • AuthenticationNot required

    No credentials are needed; the password reset endpoint accepts unauthenticated requests (PR:N).

  • Victim interactionNot required

    No administrator or user action is required for the reset to succeed (UI:N).

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable with no environmental preconditions (AC:L).

Blast Radius

  • Resets the administrator password to an attacker-chosen value and grants full admin login to the camera.
  • Reads live and stored video feeds, exposing whatever the camera is pointed at.
  • Modifies camera configuration, including network settings, recording behavior, and access controls, enabling persistent takeover or pivot into the surrounding network.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the ICS-CERT advisory for CVE-2026-5386 with daily re-checks for an upstream KMW firmware fix. Until a patch ships, compensating-control guidance is surfaced in each affected environment, including isolating the cameras on a dedicated management VLAN, blocking inbound internet access to the camera HTTP interface, and restricting management traffic to a known jump host. When KMW publishes fixed firmware, a patched-image rebuild becomes available automatically, and environments with auto-remediation enabled receive a rebuild, regression run, and a PR opened against affected workloads.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
2
Affected packages
  • KMW / KM-IP521
    4.04.91.230307
  • KMW / KM-IP421
    4.04.53.210416
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References