Back to Intelligence

CVE-2026-5386: KMW CCTV Unauthenticated Password Reset — Detection and Hardening

SA
Security Arsenal Team
May 29, 2026
6 min read

CISA has released ICSA-26-148-06 regarding a critical vulnerability (CVE-2026-5386) affecting KMW CCTV Security Cameras. This flaw, classified as an unauthenticated password reset with a CVSS v3 score of 9.1, allows attackers to completely bypass authentication and seize administrative control of affected devices remotely.

Given the deployment of these devices in Critical Infrastructure sectors—including Financial Services, Transportation Systems, and Government Facilities—this is not a standard IT vulnerability. It represents a physical security breach vector. Attackers can silently disable surveillance feeds, pivot into internal networks, or leverage cameras for botnet recruitment. Defenders must immediately identify affected assets and apply strict network isolation.

Technical Analysis

Affected Products & Versions:

  • KM-IP521 (IPCAM_V4.04.91.230307)
  • KM-IP421 (IPCAM_V4.04.53.210416)

Vulnerability Details:

  • CVE ID: CVE-2026-5386
  • CVSS Score: 9.1 (Critical)
  • Vulnerability Class: Improper Authentication (Unverified Password Change)

Attack Mechanism: The vulnerability resides in the web management interface of the camera. Due to a logic flaw in the password change handler, the device fails to validate the current password or an authenticated session token when processing a password update request.

  1. Discovery: The attacker scans for the affected KMW models (usually identifiable by HTTP server headers or specific web paths) on port 80/443.
  2. Exploitation: The attacker sends a crafted HTTP request (typically a POST) to the password reset endpoint.
  3. Takeover: The device accepts the request and updates the administrative credential to a value chosen by the attacker.
  4. Access: The attacker authenticates using the new credential, gaining full access to video feeds and device settings.

Exploitation Status: While this advisory has just been released, the simplicity of the exploit (unauthenticated HTTP request) means active scanning and exploitation are imminent. It is currently listed in CISA advisories, requiring immediate attention per CISA KEV (Known Exploited Vulnerabilities) protocols.

Detection & Response

Detecting this specific vulnerability requires visibility into the HTTP traffic directed at IoT/IoMT devices. Standard endpoint detection (EDR) is rarely present on these cameras, so network telemetry (IDS/IPS, Proxy, Firewall) is your primary defense layer.

Sigma Rules

The following rules detect the behavioral indicators of an unauthenticated password reset attempt or administrative access on these specific devices.

YAML
---
title: Potential Unauthenticated Password Reset on KMW CCTV
id: c9a8d712-3f45-4b9a-8e1c-2d4f5a6b7c8d
status: experimental
description: Detects HTTP POST requests containing password reset keywords to KMW CCTV endpoints, indicating exploitation of CVE-2026-5386.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.credential_access
  - cve-2026-5386
logsource:
  category: proxy
  product: any
detection:
  selection:
    cs-method: 'POST'
    cs-uri-query|contains:
      - 'password'
      - 'pwd'
      - 'pass'
    cs-host|endswith:
      - 'index.html'
      - 'login.htm'
  filter_legit:
    sc-status: 401
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative password changes from management stations
level: high
---
title: KMW CCTV Administrative Login from External Source
id: b1c2d3e4-5f67-8a9b-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects successful HTTP logins to KMW camera management interfaces from external IP ranges or non-management workstations.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.valid_accounts
logsource:
  category: webserver
  product: apache
detection:
  selection:
    cs-method: 'POST'
    cs-uri-path|contains:
      - 'login.cgi'
      - 'logon.jsp'
    sc-status: 200
  filter_internal:
    c-ip|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter_internal
falsepositives:
  - Authorized remote administration by VPN users
level: critical

KQL (Microsoft Sentinel)

Use this query to hunt for suspicious administrative activity targeting CCTV devices in your environment.

KQL — Microsoft Sentinel / Defender
let KMWDevices = DeviceNetworkEvents
| where RemotePort == 80 or RemotePort == 443
| where DeviceName contains "KM-IP" or InitiatingProcessAccount contains "KMW";
DeviceNetworkEvents
| where RemotePort in (80, 443)
| where ActionType in ("ConnectionAllowed", "NetworkConnectionAccepted")
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, RemotePort
| join kind=inner (KMWDevices) on DeviceName
| where SourceIP !in ("192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") // Filter internal management subnets
| summarize count() by bin(TimeGenerated, 1h), SourceIP, DeviceName
| order by count_ desc

Velociraptor VQL

This VQL artifact hunts for unexpected processes connecting to camera management ports on Linux-based management servers or jump hosts.

VQL — Velociraptor
-- Hunt for processes connecting to CCTV Ports (80/443) outside of known binaries
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE Exe NOT IN ("/usr/sbin/apache2", "/usr/sbin/nginx", "/usr/sbin/sshd")
  AND Name IN ("curl", "wget", "python", "perl", "nc")
  AND CommandLine =~ "(192\.168\.|10\.|172\.)"  -- Targeting internal RFC1918 space

Remediation Script (Bash)

This script assists in identifying vulnerable firmware versions via HTTP banner grabbing (if available) and enforcing a temporary network firewall block using iptables on a Linux gateway.

Bash / Shell
#!/bin/bash

# KMW CCTV CVE-2026-5386 Mitigation Script
# Usage: sudo ./kmw_mitigation.sh

# Define vulnerable versions
VULN_VERSION_1="IPCAM_V4.04.91.230307"
VULN_VERSION_2="IPCAM_V4.04.53.210416"

# Log file
LOG_FILE="./kmw_scan_$(date +%Y%m%d_%H%M%S).log"

echo "[*] Scanning local subnet for KMW Cameras..." | tee -a $LOG_FILE

# Simple Nmap scan for web interfaces on common CCTV subnets (Adjust 192.168.1.0/24 as needed)
# Ensure nmap is installed
if command -v nmap &> /dev/null; then
    nmap -p 80,443,554 --open -oG - 192.168.1.0/24 | grep "Ports:" | awk '{print $2}' > potential_hosts.txt
else
    echo "[!] Nmap not found. Please install nmap." | tee -a $LOG_FILE
    exit 1
fi

while read -r host; do
    echo "[*] Checking $host..." | tee -a $LOG_FILE
    
    # Attempt to grab version info (Adjust pattern based on actual device response)
    RESPONSE=$(curl -s --connect-timeout 3 "http://$host/" | grep -oE "IPCAM_V[0-9.]+" || echo "")
    
    if [[ "$RESPONSE" == "$VULN_VERSION_1" ]] || [[ "$RESPONSE" == "$VULN_VERSION_2" ]]; then
        echo "[!!!] VULNERABLE DEVICE FOUND: $host - Version: $RESPONSE" | tee -a $LOG_FILE
        
        # Apply iptables block to block traffic to this device from outside management VLAN
        # This is a temporary containment measure.
        iptables -A INPUT -s $host -j DROP
        echo "[+] Blocked traffic from $host via iptables." | tee -a $LOG_FILE
    else
        echo "[-] $host is not reporting a vulnerable version or is offline." | tee -a $LOG_FILE
    fi
    
done < potential_hosts.txt

echo "[*] Scan complete. Review $LOG_FILE."
echo "[*] IMPORTANT: Update firmware to latest vendor version immediately."

Remediation

  1. Patch Immediately: Apply the latest firmware update provided by KMW to address CVE-2026-5386. Ensure the version is later than IPCAM_V4.04.91.230307 or IPCAM_V4.04.53.210416.
  2. Network Segmentation: Move all CCTV devices to an isolated VLAN. They should not have direct internet access. Access to the camera management interface (Ports 80/443) should be restricted strictly to the IP addresses of the management workstation/NVR.
  3. Change Passwords: After patching, change the administrative passwords on all devices. Assume that if they were vulnerable prior to patching, the credentials may have been compromised.
  4. Disable Unused Services: Ensure Telnet and UPnP are disabled on all cameras. Use RTSP over TLS where supported.
  5. Advisory Reference: Refer to CISA ICSA-26-148-06 for the latest vendor patches and technical details. Deadlines for remediation apply to critical infrastructure entities.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringkmw-cctvcve-2026-5386ics-securityiot-vulnerability

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action