CISA discloses Brickcom camera flaws without vendor fix

CISA’s June 11 advisory gives Brickcom camera owners the unpleasant version of an industrial control system vulnerability notice: two access-control failures, affected models in four critical infrastructure sectors, and no coordinated vendor remediation. The affected Brickcom Cube, Dome, Bullet and Box cameras running version 3.2.3.5.6 can expose live visual information and, according to CISA, may allow administrative control of the device.

The two CVEs are direct enough. CVE-2026-50245 allows unauthenticated access to live snapshot images through the /ONVIF endpoint. CVE-2026-50005 involves default credentials that allow an unauthenticated remote attacker to silently access camera feeds. CISA scores both at CVSS v3.1 7.7 and CVSS v4.0 8.3, and says no known public exploitation targeting these vulnerabilities has been reported to the agency.

The operational problem is Brickcom’s absence from the process. CISA says Brickcom did not respond to its coordination request and tells users to contact Brickcom for support. That leaves municipal IT teams, facility operators and assessors with the familiar mitigations: remove internet exposure, put control-system devices behind firewalls, isolate them from business networks, and keep any required VPN access current.

For practitioners, the Monday task is asset confirmation, exposure review and compensating control documentation. If these models are deployed in commercial facilities, manufacturing, financial services or healthcare environments, the risk is not abstract device hygiene. It is unauthorized visual surveillance from premises the organization may have assumed were protected by the camera system itself.