CISA has released ICS Advisory ICSA-26-162-03 regarding critical security vulnerabilities affecting multiple Brickcom camera models. For security practitioners managing Operational Technology (OT) or physical security environments, this is not merely a patch cycle; it is a breach of the physical security perimeter. The vulnerabilities—specifically "Missing Authentication for Critical Function" and "Use of Default Credentials"—allow remote, unauthenticated attackers to access live video feeds and seize administrative control of the device.
Given the deployment of these cameras in Critical Manufacturing, Healthcare, and Financial Services, the implications extend beyond privacy to physical safety and espionage. Defenders must act immediately to identify affected assets before they are weaponized for surveillance or as a foothold for lateral movement into the corporate network.
Technical Analysis
Affected Products: The advisory confirms that the following hardware running firmware version 3.2.3.5.6 are vulnerable:
- Brickcom Cube
- Brickcom Dome
- Brickcom Bullet
- Brickcom Box
Vulnerability Details:
- CVSS v3 Score: 7.7 (High)
- Vector: Network (Adjacent or Network)
- Impact: Confidentiality, Integrity, and Availability impacts are all HIGH.
The core issue is a failure to enforce authentication on critical functions combined with the prevalence of default credentials. An attacker does not need to exploit a complex buffer overflow; they simply need to connect to the device.
Attack Chain:
- Discovery: Attacker scans internet-facing IP ranges for Brickcom HTTP/RTSP services.
- Exploitation: Attacker issues a standard web request to the device's video streaming endpoint or management interface. Due to "Missing Authentication," the device serves the request without validating a session token.
- Privilege Escalation: If default credentials are present (e.g., admin/admin), the attacker accesses the configuration interface to enable SSH, disable logging, or modify network settings to pivot deeper.
Detection & Response
Detecting these vulnerabilities requires a shift from endpoint-based telemetry to network and log analysis, as IoT cameras rarely host EDR agents. We must rely on NetFlow, firewall logs, and web proxy logs to identify unauthorized access or configuration changes.
SIGMA Rules
The following rules target the network behavior associated with unauthorized access attempts and the usage of default credentials in proxy logs.
---
title: Potential Brickcom Camera Unauthorized Access via Default Creds
id: 2e8b9c12-4a5d-4b8e-9c1f-3a6b5c7d8e9f
status: experimental
description: Detects potential login attempts to Brickcom camera interfaces using default credentials (admin:admin) or accessing admin paths without proper session headers.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1078
logsource:
category: proxy
product: any
detection:
selection:
c-uri|contains:
- '/admin/'
- '/setup/'
- '/config/'
cs-method: 'POST'
condition: selection
falsepositives:
- Legitimate administrator configuration
level: high
---
title: Brickcom Camera RTSP Stream Access from External IP
id: 5f7d8e9a-1b2c-3d4e-5f6a-7b8c9d0e1f2a
status: experimental
description: Detects external access to RTSP streams (port 554) on known Brickcom camera segments, which may indicate unauthorized feed viewing.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03
author: Security Arsenal
date: 2026/04/06
tags:
- attack.collection
- attack.1125
logsource:
category: firewall
product: any
detection:
selection:
DestinationPort: 554
Protocol: 'TCP'
filter:
SourceIP|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter
falsepositives:
- Authorized remote viewing from known corporate IPs
level: medium
KQL (Microsoft Sentinel)
Use this query to hunt for suspicious successful connections to Brickcom camera management interfaces on your network.
// Hunt for successful HTTP/HTTPS connections to Brickcom cameras from external sources
let BrickcomCameras = DeviceNetworkEvents
| where DeviceName contains "Brickcom" or RemoteIP has_any ("192.168.1.10", "192.168.1.11"); // Update with known camera IPs
CommonSecurityLog
| where DeviceVendor in ("Brickcom", "Cisco", "Fortinet") // Adjust based on your firewall/proxy vendor
| where DestinationPort in (80, 443, 554, 8080)
| where DeviceAction == "Allowed" or SentBytes > 1000
| summarize count(), min(Timestamp), max(Timestamp) by SourceIP, DestinationIP, DestinationPort, DeviceAction
| join kind=inner BrickcomCameras on DestinationIP
| project Timestamp, SourceIP, DestinationIP, DestinationPort, count_
Velociraptor VQL
This artifact hunts for active network connections on Linux-based IoT gateways or NVRs that might be communicating with vulnerable Brickcom cameras on non-standard ports.
-- Hunt for established connections to common camera ports
SELECT Fd, Family, Type, RemoteAddr, RemotePort, State, PID, Starttime
FROM listen_sock()
WHERE State = 'ESTABLISHED'
AND RemotePort IN (80, 443, 554, 8000, 8080)
AND RemoteAddr NOT IN ('127.0.0.1', '::1', '0.0.0.0')
Remediation Script (PowerShell)
This script scans a specified IP range to identify Brickcom cameras running the vulnerable firmware version. Run this from a management workstation with network access to the camera VLAN.
<#
.SYNOPSIS
Scanner for Brickcom Cameras (Firmware 3.2.3.5.6).
.DESCRIPTION
Scans a subnet for Brickcom web interfaces and checks for vulnerable version strings.
#>
$Subnet = "192.168.1." # Adjust to your camera subnet prefix
$StartRange = 1
$EndRange = 254
Write-Host "[+] Initiating scan for Brickcom cameras on $Subnet`0/$EndRange..." -ForegroundColor Cyan
for ($i = $StartRange; $i -le $EndRange; $i++) {
$IP = "$Subnet$i"
try {
# Try to fetch the server header or a generic page to identify device
$Response = Invoke-WebRequest -Uri "http://$IP/" -Method HEAD -TimeoutSec 2 -ErrorAction Stop
if ($Response.Headers.Server -like "*Brickcom*" -or $Response.Content -like "*Brickcom*") {
Write-Host "[!] FOUND Brickcom Device: $IP" -ForegroundColor Red
# Attempt to get firmware info from a common info page
try {
$InfoPage = Invoke-WebRequest -Uri "http://$IP/cgi-bin/system.cgi" -Method GET -TimeoutSec 2 -ErrorAction SilentlyContinue
if ($InfoPage.Content -match "3.2.3.5.6") {
Write-Host " [CRITICAL] Vulnerable Firmware 3.2.3.5.6 Detected!" -ForegroundColor Red
}
} catch {
Write-Host " [WARN] Could not confirm firmware version. Manual check required." -ForegroundColor Yellow
}
}
} catch {
# Host is down or not a web server
}
}
Write-Host "[+] Scan complete." -ForegroundColor Green
Remediation
-
Firmware Update: Immediately upgrade affected Brickcom cameras (Cube, Dome, Bullet, Box) from firmware version 3.2.3.5.6 to the latest vendor-supplied firmware. Check the vendor portal for the specific patch addressing CISA-26-162-03.
-
Credential Hygiene: If updating is not immediately possible, change all default administrative credentials. Ensure passwords are complex (16+ characters) and unique per device.
-
Network Segmentation: Isolate IoT cameras into a dedicated VLAN. Restrict inbound and outbound traffic strictly to necessary protocols (e.g., RTSP to the NVR only). Block direct internet access from camera subnets at the firewall.
-
Audit Access Logs: Review logs for the past 30 days for any unexplained successful logins or configuration changes on these devices.
-
Vendor Reference: Refer to the official CISA Advisory ICSA-26-162-03 for the latest technical details and vendor contact information.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.