CISA Warns of Critical Unauthenticated Password Reset in KMW CCTV Cameras
A critical vulnerability (CVE-2026-5386) in KMW CCTV security cameras allows remote attackers to reset the administrator password without authentication, gaining full access to feeds and settings.
CISA has issued an advisory warning of a critical unauthenticated password reset vulnerability affecting KMW CCTV security cameras. Tracked as CVE-2026-5386 and carrying a CVSS score of 9.1, the flaw resides in the camera's web interface and allows a remote attacker to reset the administrator password to a known value without any authentication. Successful exploitation grants full unauthorized access to live camera feeds and device settings, posing a significant risk to surveillance operations.
The affected products are the KMW KM-IP521 running firmware IPCAM_V4.04.91.230307 and the KMW KM-IP421 running firmware IPCAM_V4.04.53.210416. These cameras are deployed worldwide across critical infrastructure sectors including Commercial Facilities, Government Services and Facilities, Critical Manufacturing, Financial Services, and Transportation Systems. The vendor, KMW, is headquartered in Romania.
The vulnerability is categorized under CWE-620 (Unverified Password Change). It does not require any privileges or user interaction to exploit and can be triggered over the network. The attack vector is simple: an attacker sends a crafted request to the camera's password reset endpoint, and because the endpoint does not verify the current password or require any authentication, the administrative credentials can be overwritten to a known value chosen by the attacker.
KMW has released a firmware update to address the vulnerability. The update is available for download from the vendor's website. Users of the KM-IP421 model should note that after applying the update, the camera will lose its cloud authorization for peer-to-peer connectivity, requiring customers to contact KMW support to re-authorize the connection. This is a necessary trade-off to close the security hole.
CISA strongly recommends that organizations apply the firmware update immediately. In addition, users should minimize network exposure for surveillance equipment, isolate camera networks from business networks using firewalls, and use VPNs for any remote access. Regular firmware checks and responsible cloud connection practices are also advised. No known public exploitation of this vulnerability has been reported to CISA at this time.
The advisory was published as part of CISA's ongoing effort to secure industrial control systems. Organizations observing suspicious activity should report it to CISA for tracking and correlation. This vulnerability underscores the importance of securing IoT and surveillance devices, which are often deployed in sensitive environments and may be overlooked in regular patch management cycles.