Critical KMW CCTV Vulnerability Lets Attackers Access Camera Feeds and Settings

A critical vulnerability in KMW CCTV security cameras can let remote attackers reset the administrator password without authentication, giving them access to camera feeds and device settings. The flaw is tracked as CVE-2026-5386 and carries a CVSS 3.1 score of 9.1.

The issue affects KMW KM-IP521 cameras running firmware IPCAM_V4.04.91.230307 and KM-IP421 cameras running firmware IPCAM_V4.04.53.210416. CISA published the vulnerability in ICSA-26-148-06, warning that successful exploitation may grant full unauthorized access to camera feeds and settings.

The weakness is especially serious because it targets surveillance equipment. A compromised camera can expose live video, allow attackers to change device settings, and weaken physical security monitoring in offices, government facilities, transportation environments, factories, and other sensitive locations.

What Makes CVE-2026-5386 Dangerous

CISA describes the bug as an unauthenticated password reset issue. In simple terms, an attacker who can reach the affected camera over the network may reset the administrator password to a known value without proving ownership of the account.

The vulnerability maps to CWE-620, also known as Unverified Password Change. This type of flaw occurs when a system lets a password change happen without checking the current password or another trusted proof of identity.

The attack path matters because the vulnerable cameras may sit in locations where video access has real operational value. Attackers could use access to watch restricted areas, study security routines, change configuration, or interfere with monitoring during another incident.

Key Details About the KMW CCTV Vulnerability

Item	Details
CVE	CVE-2026-5386
Vendor	KMW
Affected products	KM-IP521 and KM-IP421 CCTV security cameras
Affected firmware	IPCAM_V4.04.91.230307 for KM-IP521 and IPCAM_V4.04.53.210416 for KM-IP421
Severity	Critical, CVSS 3.1 score of 9.1
Weakness type	Unverified Password Change
Main impact	Full unauthorized access to camera feeds and settings
Fix status	KMW has issued a firmware update

CISA Says No Public Exploitation Has Been Reported Yet

CISA said it had not received reports of known public exploitation specifically targeting this vulnerability at the time of the advisory. That lowers the immediate confirmed threat level, but it does not make the issue safe to ignore.

The vulnerability has a low attack complexity, requires no privileges, and needs no user interaction. Those conditions often make exposed IoT and surveillance devices attractive targets once technical details become public.

Organizations should treat affected cameras as high-priority assets, especially when they connect to the internet, cloud services, remote monitoring systems, or broad internal networks.

Firmware Update Is Available, but KM-IP421 Users Need Extra Care

KMW has released a firmware update to address the vulnerability. Administrators should test and deploy the update based on their normal change management process, then verify that camera access, recording, and monitoring features still work correctly.

There is one important operational note for KM-IP421 users. After the update, the device may lose cloud authorization, and users may need to contact customer support to re-authorize the P2P connection.

That detail makes planning important. Security teams should not delay patching, but they should coordinate the update with physical security teams so camera availability does not break during active monitoring hours.

How Organizations Should Reduce Exposure

CISA recommends limiting network exposure for control system devices and keeping them off the public internet. The same principle applies to CCTV systems because they often bridge cybersecurity and physical security operations.

• Check whether any KM-IP521 or KM-IP421 cameras run affected firmware.
• Apply the vendor firmware update after proper testing.
• Keep CCTV systems on a separate network from business systems.
• Allow internet access only for devices that truly need it.
• Block direct public access to camera administration interfaces.
• Use secure, updated VPN access when remote administration is required.
• Review cloud and P2P access settings after the update.
• Monitor for password changes, configuration changes, and unusual login activity.

These steps align with CISA’s broader ICS recommended practices, which emphasize reduced exposure, segmentation, and secure remote access for operational technology and control system environments.

Why CCTV Security Needs More Attention

Security cameras often receive less attention than laptops, servers, and firewalls. That creates risk because cameras still have web interfaces, firmware, user accounts, cloud features, and network access.

When attackers compromise CCTV devices, the impact can move beyond data privacy. They may learn guard patterns, identify blind spots, change recording settings, or reduce the reliability of footage after a physical security incident.

For organizations that rely on surveillance for safety, compliance, or evidence collection, firmware management should become part of the regular security program. Inventory, patching, segmentation, and access reviews can reduce the chance that camera systems become the weakest point in the network.

What Security Teams Should Check First

Teams that use KMW cameras should start with asset discovery. They should confirm camera models, firmware versions, public exposure, remote access methods, and cloud connection settings.

They should also review logs for unusual password reset activity, new administrator sessions, unexpected configuration changes, and changes to recording schedules. If any suspicious activity appears, teams should preserve logs before making major changes.

The safer long-term approach is to isolate surveillance equipment, apply updates promptly, and review remote access controls often. CISA’s recommended practices give security teams a useful baseline for reducing exposure across critical devices, including network-connected camera systems.

FAQ