Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-32644 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-28 |
| Vendor | Milesight |
| Product | AIOT Camera |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Specific firmware versions of Milesight AIOT cameras use SSL certificates with shared default private keys. Because the private key is the same across many devices and can be extracted from the firmware, an on-path attacker can decrypt HTTPS communications or perform man-in-the-middle attacks impersonating the camera.
Required Actions
Update the Milesight AIOT camera firmware to a version that generates unique per-device certificates immediately. After updating, force regeneration of the SSL certificate on each camera and verify that the certificate is not the default one. Until the patch is deployed, restrict camera communication to VLAN segments not reachable from the outside, use VPN for remote access, and monitor logs for unusual connections.
Who Is Affected?
This vulnerability affects AIOT Camera by Milesight. Check whether your organization uses Milesight AIOT cameras and update the firmware and rotate SSL certificates to per-device unique values without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
