A new CISA advisory has placed Milesight surveillance cameras squarely in the crosshairs of enterprise security teams. The advisory bundles five distinct CVE families affecting multiple camera series, including AIoT, LPR, and network camera product lines. Many affected devices are still running outdated firmware, leaving them vulnerable to remote code execution, command injection, and denial-of-service attacks.

The vulnerabilities, disclosed under CVE-2024-XXXX through CVE-2024-XXXX, span critical and high-severity ratings. Attackers can exploit these flaws without authentication in some cases, making them particularly dangerous for organizations relying on Milesight cameras for physical security. CISA urges immediate firmware updates and network segmentation to mitigate risks.

The Vulnerabilities in Detail

CISA's advisory lists five distinct CVEs, each targeting different components of the camera firmware. The most severe is a stack-based buffer overflow (CVE-2024-XXXX, CVSS 9.8) that allows unauthenticated remote code execution. This flaw exists in the HTTP server handling of CGI requests. An attacker can send a specially crafted POST request to overflow a buffer and execute arbitrary code with root privileges.

Two additional command injection vulnerabilities (CVE-2024-XXXX and CVE-2024-XXXX, CVSS 8.6 and 7.2) affect the camera's web interface. These allow authenticated users to inject OS commands via input fields that are not properly sanitized. While authentication is required, default credentials are often unchanged in enterprise deployments.

A path traversal vulnerability (CVE-2024-XXXX, CVSS 7.5) enables attackers to read arbitrary files from the device filesystem. This can leak configuration files, credentials, and even recorded video footage if stored locally. Finally, a denial-of-service vulnerability (CVE-2024-XXXX, CVSS 7.1) crashes the camera service when a malformed packet is sent to the RTSP stream port.

Affected Devices and Firmware Versions

The advisory covers a wide range of Milesight camera models, including the MS-Cxxxx series AIoT cameras, MS-LPRxxxx series license plate recognition cameras, and MS-Nxxxx series network cameras. Firmware versions prior to v5.2.5 are vulnerable. The list of affected models is extensive, with over 50 specific SKUs identified. Organizations should check their device firmware against the advisory's model list.

Milesight has released firmware updates for all affected models. The patched firmware version is v5.2.5 or later. Users can download updates from the Milesight support portal. CISA recommends updating immediately, as proof-of-concept exploit code is already circulating in underground forums.

Exploitation in the Wild

While CISA has not confirmed active exploitation in the wild, security researchers have demonstrated reliable exploits for the RCE vulnerability. Shodan scans show over 10,000 Milesight cameras exposed to the internet, many running unpatched firmware. Attackers could use these vulnerabilities to pivot into internal networks, install persistent backdoors, or compromise video feeds.

The command injection flaws are particularly concerning for organizations using Milesight cameras in sensitive environments. An attacker who gains access to the web interface—perhaps through default credentials or a phishing attack—can execute arbitrary commands on the device. This could be used to launch attacks against other network devices or exfiltrate data.

Mitigation Steps

CISA recommends several immediate actions. First, update all Milesight cameras to firmware version 5.2.5 or later. Second, change default passwords and disable unnecessary services like Telnet and FTP. Third, segment camera networks from corporate IT networks using VLANs or firewalls. Fourth, restrict web interface access to trusted IP addresses only. Finally, monitor network traffic for anomalous activity targeting camera IPs.

For organizations that cannot immediately patch, CISA suggests disabling the HTTP server on cameras and using only ONVIF or RTSP streams from secure clients. However, this may impact management functionality. In extreme cases, isolating cameras on a separate physical network may be necessary.

Broader Implications for IoT Security

This advisory is the latest in a string of CISA warnings targeting IoT devices. Surveillance cameras are particularly attractive targets because they often have limited processing power and run outdated software. The Milesight vulnerabilities highlight a systemic issue: many IoT devices lack basic security features like secure boot, signed firmware updates, and robust input validation.

The command injection vulnerabilities are especially troubling. They result from a failure to sanitize user inputs—a basic security practice that has been standard in web development for decades. Yet these flaws persist in industrial and enterprise IoT gear. This suggests that many manufacturers prioritize time-to-market over security hardening.

What Users Should Do Now

Organizations using Milesight cameras should treat this advisory with the highest priority. The combination of unauthenticated RCE and command injection creates a serious risk of full device compromise. IT teams should inventory all Milesight devices, check firmware versions, and apply patches as soon as possible. If patching is delayed, implement compensating controls like network segmentation and access restrictions.

Home users with Milesight cameras should also update firmware. While home networks are less likely to be targeted, automated scanning tools can find and exploit vulnerable devices. Changing default passwords and disabling remote access are additional safeguards.

Conclusion

The CISA advisory on Milesight cameras is a stark reminder that physical security devices can become digital liabilities. The vulnerabilities are severe, the attack surface is large, and exploit code is available. Immediate patching is the only reliable defense. Organizations that neglect to update their surveillance infrastructure risk not only compromised video feeds but also a foothold for attackers to penetrate deeper into their networks.