Surveillance systems are the eyes of your security operation center. When those eyes are compromised, the entire physical security posture of your organization collapses. Today, the Security Arsenal SOC is analyzing a high-severity vulnerability affecting Pelco Sarix Professional 3 Series IP Cameras that allows attackers to bypass authentication and view sensitive live video streams undetected.
The Vulnerability: CVE-2026-1241
CISA recently released an advisory regarding CVE-2026-1241, a flaw rated HIGH (7.5) on the CVSS v3.1 scale. This vulnerability impacts the web management interface of the Sarix Professional 3 Series, specifically models IMP, IXP, IBP, and IWP running firmware version 02.52 or earlier.
The technical root cause is identified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. Essentially, the web interface fails to strictly enforce access controls on specific endpoints. This oversight creates a "shadow" pathway where unauthorized users can interact with the device—most critically, accessing the live video feed—without ever providing credentials.
Impact Analysis
The ramifications of this flaw extend far beyond a simple IT glitch. Because these cameras are deployed in Critical Infrastructure sectors—including Healthcare, Energy, and Government Facilities—the risk profile is severe:
- Privacy Breaches: Unauthorized viewing of live streams in sensitive areas like hospital wards, secure manufacturing floors, or data centers.
- Operational Sabotage: Attackers gaining physical intelligence to plan real-world intrusions or bypass security checkpoints.
- Compliance Violations: Exposing surveillance data often violates regulatory frameworks like HIPAA or CUI requirements.
Detection and Threat Hunting
To determine if your environment is susceptible to this flaw, you must first identify the affected assets and then hunt for signs of unauthorized access attempts. Below are scripts and queries to assist your security team.
1. Asset Discovery (Bash)
Use this Nmap script to scan your network subnets for Pelco devices and retrieve their HTTP headers. This helps identify the device manufacturer and potentially the model without needing to log in.
nmap -p 80,443 --script http-title,http-headers <target_subnet> -oN pelco_scan.txt
After scanning, grep the results for Pelco indicators:
grep -i "pelco\|sarix" pelco_scan.txt
2. Suspicious Access Detection (KQL)
Deploy this KQL query in Microsoft Sentinel to hunt for anomalous access patterns to your camera subnets. This query looks for successful HTTP connections to known camera IPs that lack a corresponding prior authentication event or originate from unusual user agents.
let CameraIPs = dynamic(["192.168.1.10", "192.168.1.11"]); // Add your known Camera IPs here
DeviceNetworkEvents
| where RemotePort in (80, 443, 8080)
| where IPAddr in (CameraIPs)
| where InitiatingProcessFileName !in ("svchost.exe", "python.exe", "browser.exe") // Adjust based on your management software
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingIPAddress, RemoteIP, RemotePort
| order by TimeGenerated desc
Mitigation Strategies
Security Arsenal strongly recommends the following actions to remediate this threat:
- Immediate Firmware Update: Pelco has released firmware version 02.53 to address this vulnerability. Update all affected Sarix Professional 3 Series cameras (IMP, IXP, IBP, IWP) to this version or later immediately.
- Network Segmentation: Ensure IP cameras are isolated on a dedicated VLAN. They should not be reachable directly from the internet or the general business network.
- Minimize Attack Surface: If a camera is not required to have a web interface accessible from the management station, disable the web service via SSH or serial interface if possible, or strictly limit access via firewall ACLs to specific management IP addresses.
- Review Remote Access: CISA advises against opening control system devices to the internet. If remote management is necessary, ensure it is proxied through a secure VPN with Multi-Factor Authentication (MFA).
Staying ahead of vulnerabilities in Operational Technology (OT) and IoT devices requires constant vigilance. If you need assistance identifying affected assets across your enterprise, Security Arsenal is here to help.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.