Path Traversal in Kenik cameras
Description
Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server.
The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated path traversal in Kenik camera management panels allows attackers to read arbitrary server files via a crafted GET request.
Vulnerability
The Kenik camera management panel (software for models KG-5230TAS-IL-3, KG-5230TAS-IL-G3, KG-5230DAS-IL-G3, KG-5260TZAS-IL-3, KG-5260DZAS-IL-3, KG-5260TZAS-IL-G3, KG-5260DZAS-IL-G3, and KG-5260xxxx-IL-(G)2) suffers from a path traversal vulnerability (CWE-22) in its web interface. An unauthenticated attacker can send a specially crafted GET request with an arbitrary file path, and the server will read and return the contents of files outside the intended web root. All software versions before the respective fix dates are affected: for the KG-5260xxxx-IL-(G)2 models, all versions before 2026-04-23; for the other listed products, all versions before 2025-04-21 [1].
Exploitation
The attacker does not need any authentication or prior access. The only requirement is network connectivity to the vulnerable camera's management panel. The attacker sends a GET request to the web server with a path traversal sequence (e.g., ../) in the URL parameter, specifying an arbitrary file path on the server's filesystem. The server processes the request without proper validation or sanitization, and returns the file content in the HTTP response [1].
Impact
A successful exploit allows an unauthenticated attacker to read arbitrary files on the server, including configuration files, credentials, or other sensitive data. This constitutes a high-impact information disclosure that could facilitate further compromise of the device or network. The vulnerability does not require any user interaction or special privileges, making it easily exploitable by anyone with network access [1].
Mitigation
Kenik has released fixed firmware versions. For the KG-5260xxxx-IL-(G)2 series, the fix is included in the version dated 2026-04-23. For all other affected products (KG-5230TAS-IL-3, KG-5230TAS-IL-G3, KG-5230DAS-IL-G3, KG-5260TZAS-IL-3, KG-5260DZAS-IL-3, KG-5260TZAS-IL-G3, KG-5260DZAS-IL-G3), the fix is in the version dated 2025-04-21. Users should update their camera firmware to the latest version. No workaround is mentioned in the available references, and the vulnerability is not listed on the CISA KEV as of this publication [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2025-04-21
- Range: <2026-04-23
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- cert.pl/posts/2026/05/CVE-2026-7766mitrethird-party-advisory
News mentions
0No linked articles in our index yet.