Description
An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.
Published: 2026-04-27
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

An out-of-bounds memory access flaw allows a buffer overflow on the heap, enabling an attacker to overwrite critical control data. In practice this can lead to arbitrary code execution or severe disruption of the camera’s operation, compromising confidentiality, integrity, and availability of the device.

Affected Systems

The vulnerability affects a wide range of Milesight AIOT camera models, including, but not limited to, MS-C2964-RFLPC, MS-C2966-RFLWPC, MS-C2966-X12RLPC, MS-C2972-RFLPC, MS-C5321-FPE, MS-C5366-X12LPC, and numerous others listed in the vendor’s advisory. All firmware versions prior to the updates specified by Milesight are considered vulnerable.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as high severity. EPSS data is not available, but the flaw’s nature and the extensive device list raise concerns for potential exploitation via network traffic. The vulnerability is not currently catalogued in CISA’s KEV list. The likely attack vector is remote, accessed through network interfaces that the camera exposes, although an attacker must have the ability to deliver crafted input to trigger the overflow.

Generated by OpenCVE AI on April 28, 2026 at 12:38 UTC.

Remediation

Vendor Solution

Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware MS-Cxx63-PD: Update to 51.7.0.77-r13 MS-Cxx64-xPD: Update to 51.7.0.77-r13 MS-Cxx73-xPD: Update to 51.7.0.77-r13 MS-Cxx75-xxPD: Update to 51.7.0.77-r13 MS-Cxx83-xPD: Update to 51.7.0.77-r13 MS-Cxx74-PA: Update to 3x.8.0.3-r13 MS-C8477-HPG1: Update to 63.8.0.4-r4  MS-C8477-PC: Update to 48.8.0.4-r4 MS-C5321-FPE: Update to 62.8.0.4-r6 MS-Cxx72-xxxPE: Update to 61.8.0.5-r2 MS-Cxx62-xxxPE: Update to 61.8.0.5-r2 MS-Cxx52-xxxPE: Update to 61.8.0.5-r2 MS-Cxx66-xxxPE: Update to 61.8.0.5-r2 MS-Cxx66-xxxGPE: Update to 61.8.0.5-r2 MS-Cxx61-xxxPE: Update to 61.8.0.5-r2 MS-Cxx67-xxxPE: Update to 61.8.0.5-r2 MS-Cxx71-xxxPE: Update to 61.8.0.5-r2 MS-Cxx41-xxxPE: Update to 61.8.0.5-r2 MS-Cxx76-PE: Update to 61.8.0.5-r2 MS-Cxx65-PE: Update to 61.8.0.5-r2 MS-Cxx66-xxxG1: Update to 63.8.0.5-r4 MS-Cxx62-xxxG1: Update to 63.8.0.5-r4 MS-Cxx72-xxxG1: Update to 63.8.0.5-r4 MS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2  MS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2 MS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2 MS-Nxxxx-NxE: Update to 7x.9.0.19-r6 MS-Nxxxx-xxC: Update to 7x.9.0.19-r6 MS-Nxxxx-xxE: Update to 7x.9.0.19-r6 MS-Nxxxx-xxG: Update to 7x.9.0.19-r6 MS-Nxxxx-xxH: Update to 7x.9.0.19-r6 MS-Nxxxx-xxT: Update to 7x.9.0.19-r6 PMC8266-FPE: Update to PO_61.8.0.4-r1 PMC8266-FGPE: Update to PO_61.8.0.4-r1 PM3322-E: Update to PI_61.8.0.3-r5 TS4466-X4RIPG1: Update to T_63.8.0.4-r4  TS5366-X12RIPG1: Update to T_63.8.0.4-r4 TS8266-X4RIPG1: Update to T_63.8.0.4-r4 TS4466-X4RIVPG1: Update to T_63.8.0.4-r4 TS4466-RFIVPG1: Update to T_63.8.0.4-r4 TS8266-X4RIVPG1: Update to T_63.8.0.4-r4 TS8266-RFIVPG1: Update to T_63.8.0.4-r4 TS4466-X4RIWG1: Update to T_63.8.0.4-r4 TS8266-X4RIWG1: Update to T_63.8.0.4-r4 TS5510-GVH: Update to T_47.8.0.4-r8 TS5510-GH: Update to T_47.8.0.4-r8 TS5511-GVH: Update to T_47.8.0.4-r8 TS2966-X12TPE: Update to T_61.8.0.4-r4 TS4466-X4RPE: Update to T_61.8.0.4-r4 TS5366-X12PE: Update to T_61.8.0.4-r4 TS8266-X4PE: Update to T_61.8.0.4-r4 TS2966-X12TVPE: Update to T_61.8.0.4-r4 TS4466-X4RVPE: Update to T_61.8.0.4-r4 TS5366-X12VPE: Update to T_61.8.0.4-r4 TS8266-X4VPE: Update to T_61.8.0.4-r4 TS4441-X36RPE: Update to T_61.8.0.4-r4 TS4441-X36RE: Update to T_61.8.0.4-r4 TS4466-X4RWE: Update to T_61.8.0.4-r4 TS8266-X4WE: Update to T_61.8.0.4-r4 MS-C2964-RFLPC: Update to T_45.8.0.3-r10 MS-C2972-RFLPC: Update to T_45.8.0.3-r10 MS-C2966-RFLWPC: Update to T_45.8.0.3-r10 TS2866-X4TPC: Update to T_45.8.0.3-r10 TS2866-X4TVPC: Update to T_45.8.0.3-r10 TS2866-X4TGPC: Update to T_45.8.0.3-r10 TS2841-X36TPC: Update to T_45.8.0.3-r10 TS2841-X36TPC/W: Update to T_45.8.0.3-r10 TS2867-X5TPC: Update to T_45.8.0.3-r10 TS2961-X12TPC: Update to T_45.8.0.3-r10 TS8266-FPC/P: Update to T_45.8.0.3-r10 MS-C2966-X12RLPC: Update to T_45.8.0.3-r10 MS-C2966-X12RLVPC: Update to T_45.8.0.3-r10 MS-C5366-X12LPC: Update to T_45.8.0.3-r10 MS-C5366-X12LVPC: Update to T_45.8.0.3-r10 MS-C5361-X12LPC: Update to T_45.8.0.3-r10 MS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5 SC211: Update to C_21.1.0.8-r5 SP111: Update to 52.8.0.4-r6 MS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX MS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX MS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX MS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX

OpenCVE Recommended Actions

  • Identify all impacted Milesight camera models and confirm their current firmware version.
  • Download the latest firmware from the official Milesight support site (https://www.milesight.com/support/download/firmware).
  • Upload and apply the firmware updates specific to each model as listed in the vendor’s advisory.

Generated by OpenCVE AI on April 28, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Milesight
Milesight ms-c2964-rflpc
Milesight ms-c2966-rflwpc
Milesight ms-c2966-x12rlpc
Milesight ms-c2966-x12rlvpc
Milesight ms-c2972-rflpc
Milesight ms-c5321-fpe
Milesight ms-c5361-x12lpc
Milesight ms-c5366-x12lpc
Milesight ms-c5366-x12lvpc
Milesight ms-c8477-hpg1
Milesight ms-c8477-pc
Milesight ms-cqxx31-xxxg1
Milesight ms-cqxx68-xxxg1
Milesight ms-cqxx72-xxxg1
Milesight ms-cxx41-xxxpe
Milesight ms-cxx52-xxxpe
Milesight ms-cxx61-xxxpe
Milesight ms-cxx62-xxxg1
Milesight ms-cxx62-xxxpe
Milesight ms-cxx63-pd
Milesight ms-cxx64-xpd
Milesight ms-cxx65-pe
Milesight ms-cxx66-fipkg1
Milesight ms-cxx66-rfipkg1
Milesight ms-cxx66-xxxg1
Milesight ms-cxx66-xxxgpe
Milesight ms-cxx66-xxxpe
Milesight ms-cxx66-xxxxgopc
Milesight ms-cxx67-xxxpe
Milesight ms-cxx71-xxxpe
Milesight ms-cxx72-fipkg1
Milesight ms-cxx72-rfipkg1
Milesight ms-cxx72-xxxg1
Milesight ms-cxx72-xxxpe
Milesight ms-cxx73-xpd
Milesight ms-cxx74-pa
Milesight ms-cxx75-xxpd
Milesight ms-cxx76-pe
Milesight ms-cxx83-xpd
Milesight ms-nxxxx-nxe
Milesight ms-nxxxx-xxc
Milesight ms-nxxxx-xxe
Milesight ms-nxxxx-xxg
Milesight ms-nxxxx-xxh
Milesight ms-nxxxx-xxt
Milesight pm3322-e
Milesight pmc8266-fgpe
Milesight pmc8266-fpe
Milesight sc211
Milesight sp111
Milesight ts2841-x36tpc
Milesight ts2841-x36tpc/w
Milesight ts2866-x4tgpc
Milesight ts2866-x4tpc
Milesight ts2866-x4tvpc
Milesight ts2867-x5tpc
Milesight ts2961-x12tpc
Milesight ts2966-x12tpe
Milesight ts2966-x12tvpe
Milesight ts4441-x36re
Milesight ts4441-x36rpe
Milesight ts4466-rfivpg1
Milesight ts4466-x4ripg1
Milesight ts4466-x4rivpg1
Milesight ts4466-x4riwg1
Milesight ts4466-x4rpe
Milesight ts4466-x4rvpe
Milesight ts4466-x4rwe
Milesight ts5366-x12pe
Milesight ts5366-x12ripg1
Milesight ts5366-x12vpe
Milesight ts5510-gh
Milesight ts5510-gvh
Milesight ts5511-gvh
Milesight ts8266-fpc/p
Milesight ts8266-rfivpg1
Milesight ts8266-x4pe
Milesight ts8266-x4ripg1
Milesight ts8266-x4rivpg1
Milesight ts8266-x4riwg1
Milesight ts8266-x4vpe
Milesight ts8266-x4we
Vendors & Products Milesight
Milesight ms-c2964-rflpc
Milesight ms-c2966-rflwpc
Milesight ms-c2966-x12rlpc
Milesight ms-c2966-x12rlvpc
Milesight ms-c2972-rflpc
Milesight ms-c5321-fpe
Milesight ms-c5361-x12lpc
Milesight ms-c5366-x12lpc
Milesight ms-c5366-x12lvpc
Milesight ms-c8477-hpg1
Milesight ms-c8477-pc
Milesight ms-cqxx31-xxxg1
Milesight ms-cqxx68-xxxg1
Milesight ms-cqxx72-xxxg1
Milesight ms-cxx41-xxxpe
Milesight ms-cxx52-xxxpe
Milesight ms-cxx61-xxxpe
Milesight ms-cxx62-xxxg1
Milesight ms-cxx62-xxxpe
Milesight ms-cxx63-pd
Milesight ms-cxx64-xpd
Milesight ms-cxx65-pe
Milesight ms-cxx66-fipkg1
Milesight ms-cxx66-rfipkg1
Milesight ms-cxx66-xxxg1
Milesight ms-cxx66-xxxgpe
Milesight ms-cxx66-xxxpe
Milesight ms-cxx66-xxxxgopc
Milesight ms-cxx67-xxxpe
Milesight ms-cxx71-xxxpe
Milesight ms-cxx72-fipkg1
Milesight ms-cxx72-rfipkg1
Milesight ms-cxx72-xxxg1
Milesight ms-cxx72-xxxpe
Milesight ms-cxx73-xpd
Milesight ms-cxx74-pa
Milesight ms-cxx75-xxpd
Milesight ms-cxx76-pe
Milesight ms-cxx83-xpd
Milesight ms-nxxxx-nxe
Milesight ms-nxxxx-xxc
Milesight ms-nxxxx-xxe
Milesight ms-nxxxx-xxg
Milesight ms-nxxxx-xxh
Milesight ms-nxxxx-xxt
Milesight pm3322-e
Milesight pmc8266-fgpe
Milesight pmc8266-fpe
Milesight sc211
Milesight sp111
Milesight ts2841-x36tpc
Milesight ts2841-x36tpc/w
Milesight ts2866-x4tgpc
Milesight ts2866-x4tpc
Milesight ts2866-x4tvpc
Milesight ts2867-x5tpc
Milesight ts2961-x12tpc
Milesight ts2966-x12tpe
Milesight ts2966-x12tvpe
Milesight ts4441-x36re
Milesight ts4441-x36rpe
Milesight ts4466-rfivpg1
Milesight ts4466-x4ripg1
Milesight ts4466-x4rivpg1
Milesight ts4466-x4riwg1
Milesight ts4466-x4rpe
Milesight ts4466-x4rvpe
Milesight ts4466-x4rwe
Milesight ts5366-x12pe
Milesight ts5366-x12ripg1
Milesight ts5366-x12vpe
Milesight ts5510-gh
Milesight ts5510-gvh
Milesight ts5511-gvh
Milesight ts8266-fpc/p
Milesight ts8266-rfivpg1
Milesight ts8266-x4pe
Milesight ts8266-x4ripg1
Milesight ts8266-x4rivpg1
Milesight ts8266-x4riwg1
Milesight ts8266-x4vpe
Milesight ts8266-x4we

Tue, 28 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.
Title Milesight Cameras Heap-based Buffer Overflow
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Milesight Ms-c2964-rflpc Ms-c2966-rflwpc Ms-c2966-x12rlpc Ms-c2966-x12rlvpc Ms-c2972-rflpc Ms-c5321-fpe Ms-c5361-x12lpc Ms-c5366-x12lpc Ms-c5366-x12lvpc Ms-c8477-hpg1 Ms-c8477-pc Ms-cqxx31-xxxg1 Ms-cqxx68-xxxg1 Ms-cqxx72-xxxg1 Ms-cxx41-xxxpe Ms-cxx52-xxxpe Ms-cxx61-xxxpe Ms-cxx62-xxxg1 Ms-cxx62-xxxpe Ms-cxx63-pd Ms-cxx64-xpd Ms-cxx65-pe Ms-cxx66-fipkg1 Ms-cxx66-rfipkg1 Ms-cxx66-xxxg1 Ms-cxx66-xxxgpe Ms-cxx66-xxxpe Ms-cxx66-xxxxgopc Ms-cxx67-xxxpe Ms-cxx71-xxxpe Ms-cxx72-fipkg1 Ms-cxx72-rfipkg1 Ms-cxx72-xxxg1 Ms-cxx72-xxxpe Ms-cxx73-xpd Ms-cxx74-pa Ms-cxx75-xxpd Ms-cxx76-pe Ms-cxx83-xpd Ms-nxxxx-nxe Ms-nxxxx-xxc Ms-nxxxx-xxe Ms-nxxxx-xxg Ms-nxxxx-xxh Ms-nxxxx-xxt Pm3322-e Pmc8266-fgpe Pmc8266-fpe Sc211 Sp111 Ts2841-x36tpc Ts2841-x36tpc/w Ts2866-x4tgpc Ts2866-x4tpc Ts2866-x4tvpc Ts2867-x5tpc Ts2961-x12tpc Ts2966-x12tpe Ts2966-x12tvpe Ts4441-x36re Ts4441-x36rpe Ts4466-rfivpg1 Ts4466-x4ripg1 Ts4466-x4rivpg1 Ts4466-x4riwg1 Ts4466-x4rpe Ts4466-x4rvpe Ts4466-x4rwe Ts5366-x12pe Ts5366-x12ripg1 Ts5366-x12vpe Ts5510-gh Ts5510-gvh Ts5511-gvh Ts8266-fpc/p Ts8266-rfivpg1 Ts8266-x4pe Ts8266-x4ripg1 Ts8266-x4rivpg1 Ts8266-x4riwg1 Ts8266-x4vpe Ts8266-x4we
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-28T14:39:17.799Z

Reserved: 2026-03-12T17:51:09.860Z

Link: CVE-2026-20766

cve-icon Vulnrichment

Updated: 2026-04-28T14:38:27.119Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T01:16:00.233

Modified: 2026-04-28T20:11:56.713

Link: CVE-2026-20766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:45:31Z

Weaknesses