CISA Warns of Stored XSS in CP Plus Network Video Recorders
CISA has issued an advisory for CVE-2026-6824, a stored cross-site scripting vulnerability in CP Plus CP-UNR-108F1 NVRs that could allow attackers to hijack sessions and steal data.
CISA published an advisory on May 28, 2026, detailing a stored cross-site scripting (XSS) vulnerability in CP Plus CP-UNR-108F1 8-channel network video recorders. Tracked as CVE-2026-6824, the flaw carries a CVSS v3.1 base score of 8.4 (HIGH) and affects hardware version V1.0, web interface version V3.2.7.128806, and system firmware version V4.001.00AT009.0.R. The vulnerability stems from insufficient sanitization of user-supplied input in specific functional modules, allowing attackers to inject malicious scripts that are persistently stored on the device backend.
The stored scripts execute in the browser of any authenticated user or administrator who accesses the affected interface. This can lead to session hijacking, unauthorized actions performed with the victim's privileges, exposure or manipulation of sensitive data, and degradation of overall system integrity. The advisory notes that the affected devices are deployed across critical infrastructure sectors including commercial facilities, critical manufacturing, and emergency services, with known deployments in India, Nepal, the United Arab Emirates, and Gambia. CP Plus is headquartered in India.
CP Plus has released a firmware update to address the vulnerability. The patched version is CP-UNR-AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326, available for download via a Google Drive link provided in the advisory. For firmware access and upgrade instructions, users can contact CP Plus support by phone at +91-8800952952 or by email at support@cpplusworld.com. CISA recommends that organizations update affected devices as soon as possible.
CISA also advises users to minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods such as VPNs should be used, though VPNs themselves should be kept updated. Organizations are reminded to perform proper impact analysis and risk assessment before deploying defensive measures.
The vulnerability was reported to CISA by researcher Jithin Nambiar J. As of the advisory's publication, no known public exploitation specifically targeting this vulnerability has been reported to CISA. However, given the severity and the potential for session hijacking and data theft, immediate patching is strongly recommended. The advisory is part of CISA's ongoing effort to secure industrial control systems and critical infrastructure against cyber threats.