CISA Warns of OS Command Injection and File Upload Flaws in H.VIEW HV-500S6 IP Camera
CISA disclosed two high-severity vulnerabilities in H.VIEW HV-500S6 IP cameras that could allow authenticated attackers to execute arbitrary code and upload malicious files.
CISA published an advisory on June 25, 2026, detailing two vulnerabilities in the H.VIEW HV-500S6 IP Camera running firmware version IPCAM_V4.06.88.251229. The flaws—CVE-2026-55975 and CVE-2026-56414—both carry a CVSS v4.0 score of 8.6 (HIGH) and could allow authenticated attackers to execute arbitrary code and upload malicious files to the device.
The first vulnerability, CVE-2026-55975, is an OS command injection flaw. It exists in the certificate generation interface, where unsanitized XML fields are incorporated into a backend command without proper input validation. An authenticated user can exploit this to execute commands with elevated privileges during certificate generation. The second vulnerability, CVE-2026-56414, is an unrestricted file upload issue. The camera's certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This could enable the placement of malicious files that persist even after a reboot.
The affected product is the H.VIEW HV-500S6 IP Camera, deployed worldwide in commercial facilities. H.View, headquartered in China, did not respond to CISA's request to coordinate on mitigations. CISA recommends users minimize network exposure for control system devices, ensure they are not accessible from the internet, and use VPNs for remote access. Organizations should also follow defense-in-depth strategies and report any suspected malicious activity to CISA.
As of the advisory date, no known public exploitation of these vulnerabilities has been reported. However, given the high CVSS scores and the lack of vendor response, users are urged to take immediate defensive measures. The vulnerabilities were reported to CISA by Fukuhara Rikuto of Smooth Inc. and Hosei University.
This advisory is part of CISA's ongoing effort to secure industrial control systems (ICS) and Internet of Things (IoT) devices. IP cameras are often targeted by attackers for botnets, surveillance, or as entry points into broader networks. The absence of vendor cooperation underscores the challenges in securing devices from manufacturers that do not engage with vulnerability disclosure programs.