CISA Discloses Unpatched Vulnerabilities in Brickcom Cameras Allowing Unauthorized Access to Live Feeds
CISA disclosed two vulnerabilities in Brickcom cameras that allow unauthenticated access to live snapshots and use default credentials, with no patches available.
CISA has disclosed two vulnerabilities affecting Brickcom cameras, including models Cube, Dome, Bullet, and Box running firmware version 3.2.3.5.6. The flaws, identified as CVE-2026-50245 and CVE-2026-50005, allow remote attackers to gain unauthorized access to live video feeds and potentially obtain administrative control of the devices. The vulnerabilities were discovered by researcher parsa rezaie khiabanloo and reported to CISA, but Brickcom did not respond to coordination requests, leaving the devices exposed without official patches.
CVE-2026-50245 involves missing authentication for critical functions, specifically allowing unauthenticated access to live snapshot images via the /ONVIF endpoint. This means an attacker can retrieve still images from the camera feed without any credentials. CVE-2026-50005 involves the use of default credentials, enabling any unauthenticated remote attacker to silently access camera feeds. Both vulnerabilities carry a CVSS v3.1 base score of 7.7 (HIGH) and a CVSS v4.0 score of 8.3 (HIGH).
The affected cameras are deployed across multiple critical infrastructure sectors, including Commercial Facilities, Critical Manufacturing, Financial Services, and Healthcare and Public Health. The devices are used worldwide, with the company headquartered in Taiwan. Given the lack of vendor response, CISA recommends users minimize network exposure, isolate control system networks behind firewalls, and use VPNs for remote access. Organizations are also advised to perform impact analysis and risk assessment before deploying defensive measures.
CISA notes that no known public exploitation specifically targeting these vulnerabilities has been reported at this time. However, the vulnerabilities are not exploitable remotely, meaning an attacker would need local access to the network. Despite this, the potential impact is significant, as unauthorized access to live video feeds could lead to surveillance, theft of sensitive visual information, and further compromise of affected premises.
This disclosure follows a pattern of CISA highlighting vulnerabilities in IoT and surveillance devices where vendors fail to respond. The agency urges users to contact Brickcom for support via their website. Until patches are available, organizations should implement the recommended mitigations to reduce risk.