Critical Authentication Bypass in Pelco Sarix Pro 3 Cameras Exposes Live Feeds

The Eyes That Are Watching Back

In the modern security architecture, IP cameras are often treated as set-and-forget devices—quietly installed on ceilings and perimeters to watch over critical infrastructure. However, a recent advisory from CISA serves as a stark reminder that these devices are sophisticated computers with their own attack surfaces. A critical vulnerability, tracked as CVE-2026-1241, has been identified in Pelco Sarix Pro 3 Series IP Cameras that allows attackers to bypass authentication entirely, turning a facility's own eyes against it.

The Vulnerability: CVE-2026-1241

This vulnerability affects the web management interface of the Pelco Sarix Professional 3 Series (IMP, IXP, IBP, and IWP models) running firmware version 02.52 or earlier.

• CVE ID: CVE-2026-1241
• CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
• CVSS v3.1 Score: 7.5 (HIGH)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The flaw stems from inadequate enforcement of access controls within the web interface. Specifically, the application fails to properly validate authentication credentials for certain functions or paths. Consequently, a remote attacker can access sensitive device data and, most alarmingly, view live video streams without ever logging in.

The Risk to Critical Infrastructure

The impact of this vulnerability extends far beyond a privacy leak. Pelco cameras are widely deployed in sectors designated as Critical Infrastructure, including:

• Healthcare: Monitoring patient rooms and restricted pharmaceutical areas.
• Energy: Securing perimeter fences and control rooms.
• Transportation: Monitoring traffic flows and subway tunnels.
• Government & Defense: Sensitive facility surveillance.

For an adversary, the value lies in Operational Security (OpSec) compromise. By accessing live feeds, attackers can map guard rotations, identify high-value assets, and plan physical intrusions without tripping traditional IT alarms. Furthermore, unauthorized access creates immediate regulatory compliance issues (e.g., HIPAA in healthcare), as Protected Health Information (PHI) or personally identifiable information (PII) may be captured on video.

Detection and Threat Hunting

Detecting an authentication bypass vulnerability can be challenging because the traffic often resembles legitimate administrative access. However, security teams can hunt for anomalies in access patterns to these devices.

1. Hunt for Unusual Access Patterns (KQL)

Use this KQL query in Microsoft Sentinel to identify successful connections to Pelco camera web interfaces that do not have a corresponding standard login event, or access from unusual IP ranges.

let PelcoDevices = DeviceNetworkEvents
| where DeviceName contains "Pelco" or RemotePort in (80, 443, 8080);
let WebAccess = PelcoDevices
| where InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "msedge.exe", "curl", "python") 
 or InitiatingProcessFileName == "" // Direct access often shows no parent process in some logs
| summarize AccessedIPs = make_set(RemoteIP), AccessCount = count() by DeviceName, bin(Timestamp, 1h);
WebAccess
| where AccessCount > 10 // Threshold for bulk access or potential scraping
| project Timestamp, DeviceName, AccessedIPs, AccessCount
| order by AccessCount desc

2. Asset Discovery via Network Scan (Bash)

If you manage a flat network, identifying vulnerable assets is the first step. This bash script uses nmap and curl to scan a subnet for devices identifying themselves as Pelco cameras. Note: Ensure you have authorization to scan the target network.

#!/bin/bash
# Usage: ./scan_pelco.sh <subnet> (e.g., 192.168.1.0/24)

SUBNET=$1
if [ -z "$SUBNET" ]; then
  echo "Please provide a subnet CIDR (e.g., 192.168.1.0/24)"
  exit 1
fi

echo "Scanning $SUBNET for potential Pelco devices on port 80/443..."

# Scan for open web ports
nmap -p 80,443 --open -oG - "$SUBNET" | grep "/open/" | awk '{print $2}' | while read IP; do
  # Attempt to grab HTTP headers to identify server signature
  HEADER=$(curl -s -I -m 2 --connect-timeout 2 http://"$IP" 2>&1 | grep -i "server")
  
  if echo "$HEADER" | grep -qi "pelco"; then
    echo "[!] VULNERABLE DEVICE FOUND: $IP (Server: $HEADER)"
  fi
done

3. PowerShell Vulnerability Check

If you have a list of suspected camera IPs, you can use PowerShell to check if the device reports a firmware version lower than 02.53. This assumes the device exposes firmware info in the HTTP body or headers.

$iplist = @("10.0.0.50", "10.0.0.51")
$minVersion = "02.53"

foreach ($ip in $iplist) {
    try {
        $response = Invoke-WebRequest -Uri "http://$ip" -Method GET -TimeoutSec 2 -ErrorAction Stop
        
        # This regex looks for version strings in the HTML content, adjust based on actual device output
        if ($response.Content -match "Version\s*=\s*["']([0-9.]+)["']") {
            $version = $matches[1]
            if ([version]$version -lt [version]$minVersion) {
                Write-Host "[ALERT] IP: $ip is running vulnerable firmware: $version" -ForegroundColor Red
            } else {
                Write-Host "[OK] IP: $ip is running patched firmware: $version" -ForegroundColor Green
            }
        }
    } catch {
        Write-Host "[ERROR] Could not connect to $ip" -ForegroundColor Gray
    }
}

Mitigation Strategies

Pelco has released firmware version 02.53 to address this issue. Security Arsenal recommends the following immediate actions:

1. Patch Immediately: Update all affected Sarix Professional 3 Series camera firmware to version 02.53 or later. Do not rely on default configurations to protect these devices.

2. Network Segmentation (Critical): IP cameras should never reside on the same flat network as office workstations or servers. Move these devices to a dedicated VLAN with strict ACLs preventing direct internet access.

3. Disable Internet-Facing Management: Ensure the web management interfaces (ports 80/443/8080) of these cameras are not accessible from the internet. Use a VPN or a jump host with Multi-Factor Authentication (MFA) for any required remote administration.

4. Review Access Logs: If these devices were accessible from the internet, assume compromise. Review logs for connections from unknown geolocations or IPs.

Conclusion

CVE-2026-1241 represents a significant risk to physical security infrastructure. The line between cyber and physical security has blurred; a vulnerability in a camera is now a vulnerability in the facility itself. By applying the latest firmware and enforcing network segmentation, organizations can close this open door and secure their perimeters.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub