CVE-2026-27785: Milesight AIOT Cameras Exposed by Hardcoded Credentials
The National Vulnerability Database (NVD) has disclosed CVE-2026-27785, detailing a critical vulnerability in specific firmware versions of Milesight AIOT cameras. This flaw, rated with a CVSS score of 8.8 (HIGH), stems from the presence of hardcoded credentials within the firmware, a classic CWE-798 issue.
Attackers leveraging this vulnerability could gain unauthorized access to affected cameras. The CVSS vector indicates a network-adjacent attack vector (AV:A) requiring no privileges (PR:N) or user interaction (UI:N), leading to high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker on the same local network segment could fully compromise these devices without prior authentication.
Hardcoded credentials are a gift to attackers, offering a persistent backdoor that bypasses standard security controls. For organizations deploying Milesight AIOT cameras, this isn’t just a configuration oversight; it’s a fundamental security flaw that needs immediate attention. The attacker’s calculus here is simple: find these devices on a network, use the embedded credentials, and you own them. This creates a prime pivot point for lateral movement within an internal network.
What This Means For You
- If your organization uses Milesight AIOT cameras, identify specific firmware versions affected by CVE-2026-27785. Immediately isolate these devices from your primary network segments or, ideally, remove them from service until patches are available. Audit network traffic for any suspicious activity originating from these devices, as they are a clear target for compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-27785: Milesight Camera Hardcoded Credentials Login Attempt
title: CVE-2026-27785: Milesight Camera Hardcoded Credentials Login Attempt
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
Detects login attempts using the known hardcoded 'admin' username for Milesight AIOT cameras, which is a primary indicator of exploitation for CVE-2026-27785. This rule targets the initial access vector facilitated by the hardcoded credentials.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-27785/
tags:
- attack.credential_access
- attack.t1110
logsource:
category: authentication
detection:
selection:
User|contains:
- 'admin'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-27785 | Auth Bypass | Milesight AIOT camera firmware |
| CVE-2026-27785 | Auth Bypass | Hard-coded credentials |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7218: Totolink N300RT Buffer Overflow Exploited Remotely
CVE-2026-7218 — A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so....
CVE-2026-7217 — Deepractice PromptX Path Traversal
CVE-2026-7217 — A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts...
CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal
CVE-2026-7216 — A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component...