Back to Intelligence

CVE-2026-28747: Milesight Camera Unauthenticated RCE — Detection and Hardening Guide

SA
Security Arsenal Team
April 24, 2026
6 min read

CISA has released ICSA-26-113-03, detailing a cluster of critical security vulnerabilities affecting Milesight IP Camera series. These CVEs (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, and CVE-2026-20766) allow for unauthenticated remote code execution (RCE) and device crashes.

For defenders, this is a "drop-everything" scenario. These devices are often deployed on the edge of the network, frequently with default configurations and direct internet access. An unauthenticated RCE vulnerability means an attacker needs no credentials to gain a foothold on your network, pivot to internal OT systems, or use the device as a launchpad for ransomware or DDoS attacks. If you manage physical security infrastructure or manufacturing floors, you must assume these devices are currently being scanned for exploitation.

Technical Analysis

Affected Products & Versions

The vulnerabilities impact several Milesight camera series running specific firmware versions. The critical flaw allows attackers to execute arbitrary code without authentication.

Affected Models:

  • MS-Cxx63-PD
  • MS-Cxx64-xPD
  • MS-Cxx73-xPD
  • MS-Cxx75-xxPD
  • MS-Cxx83-xPD
  • MS-Cxx74-PA

Vulnerable Firmware Versions:

  • MS-Cxx63-PD, MS-Cxx64-xPD, MS-Cxx73-xPD, MS-Cxx75-xxPD, MS-Cxx83-xPD: <= v51.7.0.77-r12
  • MS-Cxx74-PA: <= v3x.8.0.3-r11

CVE Details & Impact

While specific CVSS scores were not fully detailed in the immediate advisory, the classification of "Unauthenticated Code Execution" typically warrants a CVSS score of 9.8 (Critical). The vulnerabilities involve memory safety issues or improper input validation in the web interface or streaming services, allowing attackers to inject malicious payloads.

Exploitation Status

These vulnerabilities have been identified by CISA, elevating their priority for critical infrastructure sectors. While mass exploitation has not been confirmed at the time of writing, the availability of proof-of-concept code for similar IoT RCE flaws typically follows CISA advisories within hours to days. Attackers are actively scanning for exposed IoT management interfaces.

Detection & Response

Detection relies heavily on identifying the vulnerable assets on the network and monitoring for post-exploitation behaviors, such as reverse shells or unauthorized outbound traffic from devices that should only communicate with a Video Management System (VMS).

SIGMA Rules

YAML
---
title: Milesight Camera Identification via User-Agent
id: 85c9f1a2-3b4d-4e5f-8a1b-2c3d4e5f6a7b
status: experimental
description: Identifies Milesight cameras on the network based on HTTP User-Agent headers to aid in asset discovery for CVE-2026-28747.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1190
logsource:
 category: proxy
 product: null
detection:
 selection:
 c-useragent|contains: 'Milesight'
 condition: selection
falsepositives:
 - Legitimate administrative traffic
level: informational
---
title: Suspicious Outbound Connection from IoT Subnet
id: 92d0e3f4-5g6h-7i8j-9k0l-1m2n3o4p5q6r
status: experimental
description: Detects outbound connections from known Milesight camera subnets to non-standard external ports, potentially indicating a reverse shell or C2 beaconing.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.command_and_control
 - attack.t1071
logsource:
 category: network_connection
detection:
 selection:
 SourceIp|cidr: '10.0.50.0/24' # Replace with your Camera/VLAN subnet
 DestinationPort|notin:
 - '80'
 - '443'
 - '554' # RTSP
 - '1935' # RTMP
 condition: selection
falsepositives:
 - Firmware update checks
 - Cloud backup features
level: high

KQL (Microsoft Sentinel / Defender)

The following queries help hunt for vulnerable devices and suspicious network activity. Adjust the IP ranges to match your specific IoT or Camera VLANs.

KQL — Microsoft Sentinel / Defender
// Hunt for Milesight Camera User-Agents in Proxy Logs
CommonSecurityLog
| where DeviceVendor contains "Milesight" or RequestHeader contains "Milesight"
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, UserAgent, RequestMethod
| summarize count() by SourceIP, UserAgent, bin(TimeGenerated, 1h)

// Hunt for outbound connections from Camera subnets to suspicious ports
DeviceNetworkEvents
| where InitiatingProcess has "Milesight" or (IPPrefix in ("192.168.10.0/24", "10.20.30.0/24")) // Update Subnets
| where RemotePort !in (80, 443, 554, 37777, 8080)
| project TimeGenerated, DeviceName, InitiatingProcessAccount, RemoteIP, RemotePort, RemoteUrl
| order by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for processes that might be indicative of a compromised IoT device or a reverse shell connection originating from a Linux-based camera or jump server.

VQL — Velociraptor
-- Hunt for suspicious reverse shell processes on Linux endpoints
SELECT Pid, Name, CommandLine, Exe, Username, Cwd
FROM pslist()
WHERE Name IN ('bash', 'sh', 'nc', 'netcat', 'telnet')
  AND CommandLine =~ '(\/dev\/tcp|rm -f|/tmp/|wget |curl )'
  AND Username != 'root'

Remediation Script (Bash)

Use this script to scan your local network for devices identifying as Milesight cameras. Ensure you have permission to scan the network before running.

Bash / Shell
#!/bin/bash

# Milesight Camera Vulnerability Scanner
# Scans local subnet for devices identifying as Milesight

SUBNET="192.168.1.0/24" # CHANGE THIS TO YOUR CAMERA SUBNET

if ! command -v nmap &> /dev/null
then
    echo "nmap could not be found. Please install nmap."
    exit
fi

echo "[+] Scanning $SUBNET for Milesight Cameras..."

# Nmap script to check http-server-header for Milesight
nmap -p 80,443,8080 --open -sV $SUBNET \
  --script http-server-header \
  | grep -B 4 "Milesight"

echo "[+] Scan complete. Review the output for 'Milesight' headers."
echo "[+] Action Item: Check firmware version of identified devices against CISA advisory."

Remediation & Hardening

1. Patch Immediately

Apply the latest firmware updates provided by Milesight to mitigate these vulnerabilities. Ensure versions are strictly greater than the listed vulnerable versions:

  • For MS-Cxx63-PD, MS-Cxx64-xPD, MS-Cxx73-xPD, MS-Cxx75-xxPD, MS-Cxx83-xPD: Update to firmware > 51.7.0.77-r12.
  • For MS-Cxx74-PA: Update to firmware > 3x.8.0.3-r11.

Download updates directly from the official Milesight Support Portal.

2. Network Segmentation (Critical Workaround)

If patching is not immediately possible:

  • Isolate cameras on a dedicated VLAN.
  • Implement firewall rules to strictly limit traffic to known Video Management System (VMS) IP addresses and NTP servers.
  • Block all inbound internet access to the camera management interfaces (ports 80, 443, 8080) from untrusted networks.

3. Disable Unused Services

If the specific camera model allows, disable unused services such as UPnP, Telnet, or SSH if they are not required for operations.

4. Credentials Review

While these vulnerabilities are unauthenticated, it is best practice to ensure default passwords have been changed to prevent secondary attack vectors.

5. CISA Compliance

Given the inclusion in CISA advisories, organizations supporting US Critical Infrastructure should prioritize remediation according to CISA's "Due Care" guidelines, typically within 48 hours for known exploited vulnerabilities or immediately if the devices are internet-facing.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringmilesightcve-2026-28747ics-otnetwork-video-recorder

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action