Milesight AIOT Cameras Vulnerable to Authorization Bypass via Weak Key Generation
The National Vulnerability Database (NVD) reports a critical weak key generation vulnerability, CVE-2026-28747, affecting specific firmware versions of Milesight AIOT cameras. This flaw, rated with a CVSS score of 7.1 (HIGH), allows an attacker to bypass authorization controls.
The vulnerability is categorized under CWE-639, signifying an ‘Authorization Bypass Through User-Controlled Key’. This means an attacker can manipulate or predict keys used for authentication, effectively gaining unauthorized access to the camera system. The attack vector is adjacent network, with high impact on confidentiality, integrity, and availability, according to the NVD.
For defenders, this is a clear signal to identify and isolate any Milesight AIOT cameras within their environment. The high CVSS score, coupled with the potential for complete authorization bypass, means these devices present a significant attack surface. Attackers will undoubtedly leverage such vulnerabilities for initial access, surveillance, or to pivot deeper into networks.
What This Means For You
- If your organization uses Milesight AIOT cameras, you need to immediately identify all affected devices and patch them to the latest secure firmware versions. If patching isn't an option, isolate these cameras on a segmented network, restrict their access to the internet, and monitor them aggressively for anomalous activity. This isn't theoretical; an authorization bypass on an exposed camera is a direct path into your perimeter.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-28747 - Milesight AIOT Camera Authorization Bypass via Weak Key Generation
title: CVE-2026-28747 - Milesight AIOT Camera Authorization Bypass via Weak Key Generation
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-28747 by targeting the /cgi-bin/admin/setSystem.cgi endpoint with a POST request, often associated with login attempts that leverage the authorization bypass vulnerability due to weak key generation in Milesight AIOT cameras.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-28747/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi-bin/admin/setSystem.cgi'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'login.cgi?action=login'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-28747 | Auth Bypass | Milesight AIOT cameras firmware |
| CVE-2026-28747 | Cryptographic Failure | weak key generation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7199: SQL Injection in Pharmacy Sales and Inventory System
CVE-2026-7199 — A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file...
CVE-2026-7196 — CodeAstro Online Classroom SQL Injection
CVE-2026-7196 — A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of...
CVE-2026-41372 — OpenClaw before 2026.4.2 fails to normalize trailing-dot
CVE-2026-41372 — OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile...