← The Broadside
Watch hubsRSS →
cisaregulatorNewsThe Broadside1 min read

CISA flags critical unauthenticated password reset in KMW CCTV cameras

CVE-2026-5386 lets an unauthenticated attacker reset admin credentials remotely, and the KM-IP421 patch trades one problem for another.

cisaics-otvuln-advisory

TL;DR

CISA issued ICSA-26-148-06 for CVE-2026-5386 (CVSS 9.1), an unauthenticated password reset flaw in KMW CCTV cameras (KM-IP521 firmware V4.04.91.230307 and KM-IP421 firmware V4.04.53.210416) deployed across government, municipal, and critical infrastructure facilities worldwide. An attacker can remotely reset the administrator password to a known value with no prior authentication, gaining full access to camera feeds and settings. KMW has released a firmware update at main.kmw.ro; KM-IP421 operators should note the update drops cloud P2P authorization and requires a support call to re-authorize before remote access is restored.

Patch now, but read the fine print first if you're running KM-IP421 units. KMW's firmware update for that model strips the camera's cloud authorization on install, leaving P2P connectivity offline until operators contact KMW support to re-authorize. For any deployment where those cameras are the primary remote-monitoring path, that re-authorization window is its own operational gap. KM-IP521 operators get a cleaner remediation: apply the update at main.kmw.ro/pub/Firmware/521_421.zip and move on.

The underlying flaw, classified under CWE-620 (Unverified Password Change), requires no credentials, no user interaction, and no elevated network position, the CVSS vector is AV:N/AC:L/PR:N/UI:N. Anyone who can reach the camera over the network can own it. CISA's standard ICS mitigations apply in the interim: isolate surveillance equipment on a separate VLAN, block direct internet exposure, and require VPN for remote access.

KMW is headquartered in Romania; affected cameras are deployed worldwide across commercial facilities, government services, critical manufacturing, financial services, and transportation systems. Souvik Kandar reported the vulnerability to CISA.

Published ·Updated ·Deep Fathom