CVE-2026-28747 HIGH

CVE-2026-28747: Milesight Cameras Authorization Bypass Through User-Controlled Key

Vendor Milesight
Product MS-Cxx63-PD
Weakness CWE-639 · IDOR
Published April 27, 2026
Last update April 28, 2026

CVSS base score

7.3/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
April 28, 2026 Record updated