CISA has published an advisory detailing two high-severity vulnerabilities in the H.VIEW HV-500S6 IP camera running firmware version IPCAM_V4.06.88.251229. Successful exploitation could allow an authenticated attacker to execute arbitrary operating system commands and write arbitrary files to persistent storage locations on the affected device.

Vulnerability Details

CVE-2026-55975 (OS Command Injection, CWE-78): The camera’s certificate generation interface accepts XML input from authenticated users without adequate sanitization. Unsanitized field values are passed directly into a backend command responsible for certificate creation, enabling command injection with elevated privileges. Both CVSS v3.1 and v4.0 scores rate this issue as HIGH, with base scores of 7.2 and 8.6 respectively. The attack vector is network-accessible, requires no user interaction, and demands only high-privilege authentication.

CVE-2026-56414 (Unrestricted File Upload, CWE-434): Certificate-related upload interfaces on the same device permit authenticated users to write arbitrary file content to fixed, persistent filesystem locations. No validation of file type, structure, or size is performed. Because the affected storage locations persist across reboots and are intended for trusted certificate material, this flaw could be used to place malicious or malformed data in ways that affect system integrity over time. CVSS scores are identical to those assigned to CVE-2026-55975.

No Patch Available

H.VIEW did not respond to CISA’s coordination requests, and no remediation has been released. CISA encourages affected users to contact the vendor directly through the H.VIEW support page. In the absence of a patch, organizations should apply the following defensive measures:

  • Remove IP cameras from direct internet exposure and place them behind firewalls, isolated from business networks.
  • Use VPNs for any required remote access, keeping VPN software updated to the latest available version.
  • Conduct a thorough impact analysis and risk assessment before deploying compensating controls.

Context

The vulnerabilities were discovered by Fukuhara Rikuto of Smooth Inc. and Hosei University, who reported them to CISA. The HV-500S6 is deployed worldwide, primarily in commercial facilities. CISA notes no known public exploitation of these vulnerabilities at the time of publication. The advisory was initially released on June 25, 2026.