CISA Warns of Critical RCE Flaw in AVer PTC Cameras
CISA disclosed a critical vulnerability (CVE-2026-40624, CVSS 9.8) in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras that allows unauthenticated remote attackers to execute arbitrary code.
CISA has issued an advisory warning of a critical vulnerability in multiple AVer PTC camera models. The flaw, tracked as CVE-2026-40624 and carrying a CVSS score of 9.8, stems from improper input validation in the web interface of the affected devices. A remote, unauthenticated attacker can exploit this by sending a specially crafted web request, leading to arbitrary code execution on the camera.
The vulnerability affects four models: PTC500S, PTC115, PTC500+, and PTC115+. All firmware versions of these cameras are considered vulnerable. AVer, a Taiwan-based manufacturer, has released a firmware fix to address the issue. Users can download the update from AVer's official download page. CISA recommends that organizations apply the patch immediately to mitigate the risk.
These cameras are deployed worldwide across critical infrastructure sectors, including Government Services and Facilities, Commercial Facilities, and Healthcare and Public Health. The broad deployment and the critical severity of the flaw make this a significant concern for security teams. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties), indicating that the improper input validation could allow an attacker to access or execute files outside the intended scope.
CISA's advisory notes that no known public exploitation specifically targeting this vulnerability has been reported at the time of publication. However, given the high CVSS score and the ease of exploitation (no authentication required, low attack complexity), security experts anticipate that attackers may soon attempt to weaponize it. The agency urges organizations to minimize network exposure for these devices, ensuring they are not accessible from the internet, and to place them behind firewalls isolated from business networks.
The vulnerability was reported to CISA by a researcher identified as fj016. AVer's response with a firmware patch demonstrates a proactive approach to securing their products, but the incident highlights the ongoing challenge of securing IoT and OT devices in critical environments. Organizations using these cameras should prioritize patching and review their network segmentation to prevent potential exploitation.
This advisory is part of a broader pattern of CISA disclosures targeting vulnerabilities in industrial and commercial equipment. As attackers increasingly target edge devices for initial access, the importance of timely patching and robust network hygiene cannot be overstated. Security teams should treat this advisory as a high-priority action item and verify that all AVer PTC cameras in their inventory are updated to the latest firmware.