# Critical Flaws in Milesight IP Cameras Allow Remote Code Execution Across Multiple Product Lines


Milesight has disclosed five critical vulnerabilities affecting dozens of camera models across its product lineup, with successful exploitation potentially leading to remote code execution or device denial of service. The affected firmware versions span multiple camera families, leaving a broad installed base at risk.


## The Threat


A coordinated vulnerability disclosure reveals critical flaws in Milesight's IP camera firmware that could allow attackers to gain unauthorized access and execute arbitrary code on vulnerable devices. These five distinct CVEs—CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, and CVE-2026-20766—collectively impact surveillance systems deployed across enterprises, integrators, and managed security service providers.


The vulnerabilities appear to stem from improper input validation and authentication bypass flaws in the camera firmware. Attackers exploiting these issues could remotely crash affected cameras, disrupting surveillance operations, or worse—gain persistent access to devices that typically sit on the same network segment as critical infrastructure, security systems, and sensitive workstations. In a security camera network, compromised devices can become a beachhead for lateral movement and further network exploitation.


The widespread nature of the vulnerability is particularly concerning. Rather than affecting a single product line, the flaws impact Milesight's most commonly deployed models—the Cx-series compact cameras, N-series network cameras, PMC8266 series, and enterprise-grade options. Organizations using these cameras for perimeter security, access control documentation, or facility monitoring face immediate risk.


## Severity and Impact


| CVE ID | CVSS Score | Attack Vector | Attack Complexity | Authentication | Primary Impact |

|--------|------------|----------------|-------------------|-----------------|-----------------|

| CVE-2026-28747 | Critical | Network | Low | None Required | Remote Code Execution |

| CVE-2026-27785 | Critical | Network | Low | None Required | Remote Code Execution |

| CVE-2026-32644 | High | Network | Low | None Required | Denial of Service |

| CVE-2026-32649 | High | Network | Low | None Required | Denial of Service |

| CVE-2026-20766 | High | Network | Low | None Required | Denial of Service |


All five vulnerabilities require network access but do not require authentication, making them exploitable from the internet if cameras are directly exposed or accessible through compromised network boundaries.


## Affected Products


### Compact Dome Series (51.7.0.77-r12 and earlier)

  • MS-Cxx63-PD
  • MS-Cxx64-xPD
  • MS-Cxx73-xPD
  • MS-Cxx75-xxPD
  • MS-Cxx83-xPD

    • ### Pan-Tilt Models

  • MS-Cxx74-PA (≤ 3x.8.0.3-r11)

    • ### High-Performance Turret Series (63.8.0.5-r3 and earlier)

  • MS-Cxx66-xxxG1
  • MS-Cxx62-xxxG1
  • MS-Cxx72-xxxG1

    • ### Box Camera Series (61.8.0.5-r2 and earlier)

  • MS-Cxx72-xxxPE
  • MS-Cxx62-xxxPE
  • MS-Cxx52-xxxPE
  • MS-Cxx66-xxxPE
  • MS-Cxx66-xxxGPE
  • MS-Cxx61-xxxPE
  • MS-Cxx67-xxxPE
  • MS-Cxx71-xxxPE
  • MS-Cxx41-xxxPE
  • MS-Cxx76-PE
  • MS-Cxx65-PE

    • ### Specialist Models

  • MS-C8477-HPG1 (≤ 63.8.0.4-r3)
  • MS-C8477-PC (≤ 48.8.0.4-r3)
  • MS-C5321-FPE (≤ 62.8.0.4-r5)

    • ### Network Camera Series (7x.9.0.19-r5 and earlier)

  • MS-Nxxxx-NxE
  • MS-Nxxxx-xxC
  • MS-Nxxxx-xxE
  • MS-Nxxxx-xxG
  • MS-Nxxxx-xxH
  • MS-Nxxxx-xxT

    • ### Enterprise Panoramic Models (CQ_63.8.0.5-r1 and earlier)

  • MS-CQxx31-xxxG1
  • MS-CQxx68-xxxG1
  • MS-CQxx72-xxxG1

    • ### Third-Party OEM Variants

  • PMC8266-FPE (≤ PO_61.8.0.4_LPR)
  • PMC8266-FGPE (≤ PO_61.8.0.4_LPR)

    • This list encompasses entry-level surveillance systems through enterprise-grade panoramic and thermal models, reflecting the pervasiveness of the vulnerability across Milesight's portfolio.


    ## Mitigations


    Immediate Actions


    Organizations should treat camera firmware updates as a critical priority. Milesight has released patched firmware versions for all affected models. Administrators should:


    1. Inventory all Milesight cameras in your environment and document current firmware versions. Use your VMS (Video Management System) to automate this if available.


    2. Prioritize internet-facing cameras for immediate patching. If any cameras are accessible from the public internet or through port forwarding, consider temporarily isolating them from the network until patches are applied.


    3. Apply firmware updates through the camera's web interface or management console. Test patches in a non-production environment first to verify compatibility with your recording and alerting workflows.


    4. Change default credentials on all cameras if you haven't already. Many Milesight models ship with weak default passwords that increase exploitation risk.


    Network Segmentation


  • Isolate IP cameras on a dedicated VLAN separate from workstations, servers, and IoT devices.
  • Restrict camera management traffic to administrative workstations using firewall rules.
  • Implement access controls to prevent cameras from initiating outbound connections to untrusted destinations.

    • Detection and Monitoring


  • Monitor camera logs for unexpected access attempts or failed authentication events.
  • Use network intrusion detection to flag unusual traffic patterns to or from camera IP ranges.
  • Check for suspicious processes running on camera devices through management interfaces if supported.

    • Long-Term Hardening


  • Disable remote access to cameras unless absolutely necessary, using VPN or jump hosts for administration.
  • Implement two-factor authentication on camera management interfaces where supported.
  • Subscribe to Milesight's security notifications to stay informed of future vulnerabilities.

    • ## References


  • [Milesight Security Advisory](https://www.milesight.com/en/support/security) (official vendor guidance and patch downloads)
  • CISA Vulnerability Database for CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766
  • Milesight VMS Documentation for firmware upgrade procedures

    • ---


    Bottom Line: These are not theoretical vulnerabilities—they affect dozens of camera models likely deployed in your organization. If your security architecture relies on Milesight cameras, firmware updates should be treated as a critical security incident response activity, not a routine maintenance task. Unpatched cameras represent a direct path for attackers to access your surveillance infrastructure and the networks it monitors.