AVer patches critical RCE in four PTC cameras
Unauthenticated code execution on a facility camera is a patch-now item, especially where cameras sit on flatter operational networks.
TL;DR
CISA issued ICSA-26-169-01 for CVE-2026-40624, a CVSS 9.8 improper input validation flaw affecting all versions of AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras. Government, commercial facilities, healthcare, municipal IT, defense suppliers, and contractors using the cameras should apply AVer’s firmware fix and keep the devices off internet-accessible networks. CISA says it has no reports of public exploitation targeting this vulnerability.
CISA’s advisory is straightforward: all versions of AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras are affected by CVE-2026-40624, an improper input validation vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code through a crafted web request. AVer has issued a firmware fix. For operators in government services and facilities, commercial facilities, healthcare, municipal environments, and contractor sites, the operational work is also ordinary: patch, verify the firmware on deployed units, remove camera management interfaces from internet exposure, and keep these devices segmented from business networks. CISA reports no known public exploitation specific to this vulnerability as of the June 18 advisory.
Published ·Deep Fathom