CISA flags H.VIEW HV-500S6 flaws without vendor fix
For operators, vendor silence turns two high-severity camera bugs into an isolation or replacement decision.
TL;DR
CISA published ICSA-26-176-05 for the H.VIEW HV-500S6 IP Camera running IPCAM_V4.06.88.251229, covering CVE-2026-55975 command injection and CVE-2026-56414 arbitrary file upload. Both carry CVSS 3.1 scores of 7.2 and CVSS 4.0 scores of 8.6. State and municipal IT teams, contractors, and assessors with these cameras in commercial-facilities environments get the unpleasant part: H.View did not respond to CISA coordination, and CISA lists no vendor patch.
CISA’s advisory is not complicated: an authenticated user with high privileges can abuse certificate-related functions on H.VIEW HV-500S6 IP cameras to execute commands or place arbitrary persistent file content where trusted certificate material should live. The affected firmware is IPCAM_V4.06.88.251229, and CISA says it has no reports of public exploitation targeting these vulnerabilities.
The operational problem is the remediation section. H.View did not respond to CISA’s coordination request, so the advisory points users back to H.View support rather than to a fixed firmware version. That leaves state CISOs, municipal IT teams, contractors, and facility operators with the usual compensating controls: remove internet exposure, put the cameras behind firewalls, isolate them from business networks, and treat remote access as another risk surface to manage.
For assessors, this is also a procurement and asset-management finding, not just a vulnerability ticket. If a camera can run code after an authenticated management action and the vendor has not provided a patch path, the defensible options are containment, replacement planning, or documented acceptance of a device whose security update story is currently blank.
Published ·Deep Fathom