Milesight AIOT Cameras Critical Vulnerability: Default SSL Keys Exposed
The National Vulnerability Database has issued a critical advisory, CVE-2026-32644, for specific firmware versions of Milesight AIOT cameras. This vulnerability, carrying a CVSS score of 9.8 (CRITICAL), stems from the use of hardcoded, default private keys in the SSL certificates embedded within these devices. This isn’t just poor practice; it’s an open door for sophisticated adversaries.
Using default private keys completely undermines the security provided by SSL/TLS. An attacker with knowledge of these default keys can decrypt intercepted communications, impersonate the camera, or even inject malicious data. The impact is a full compromise of confidentiality, integrity, and availability, making these devices trivial to exploit for anyone with basic reconnaissance capabilities. This is CWE-321, a classic cryptographic weakness that should never make it into production.
For defenders, this means any Milesight AIOT cameras running affected firmware are effectively broadcasting their private keys. Attackers don’t need to brute-force or exploit complex logic; they just need to know the default key. This vulnerability drastically lowers the bar for compromise, turning these cameras into high-value targets for initial access, surveillance, or pivot points within a network.
What This Means For You
- If your organization uses Milesight AIOT cameras, identify all deployed units immediately. Prioritize patching or isolating any devices running firmware affected by CVE-2026-32644. Assume any unpatched camera is compromised and audit network traffic originating from or destined for these devices for anomalous activity. This isn't a theoretical risk; it's a direct route to network intrusion.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-32644 - Milesight AIOT Camera Default SSL Key Usage
title: CVE-2026-32644 - Milesight AIOT Camera Default SSL Key Usage
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
This rule detects access attempts to the Milesight AIOT camera login CGI script, which is vulnerable due to default SSL keys. Exploitation of CVE-2026-32644 allows unauthenticated access to the camera's administrative interface by leveraging these default keys.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-32644/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi-bin/மையில்/login.cgi'
cs-uri-query|contains:
- 'login'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32644 | Misconfiguration | Milesight AIOT cameras |
| CVE-2026-32644 | Misconfiguration | Specific firmware versions of Milesight AIOT cameras |
| CVE-2026-32644 | Cryptographic Failure | SSL certificates with default private keys |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 04:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7218: Totolink N300RT Buffer Overflow Exploited Remotely
CVE-2026-7218 — A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so....
CVE-2026-7217 — Deepractice PromptX Path Traversal
CVE-2026-7217 — A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts...
CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal
CVE-2026-7216 — A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component...