Description
Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+
cameras may allow a remote, unauthenticated attacker to achieve
arbitrary code execution via a specially crafted web request.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper input validation flaw exists in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras. The vulnerability permits a remote, unauthenticated attacker to send a specially crafted web request that results in arbitrary code execution on the device. With arbitrary code execution, an attacker could compromise the camera, exfiltrate data, tamper with recordings, or disrupt network operations, impacting confidentiality, integrity, and availability.

Affected Systems

The flaw affects AVer camera models PTC115, PTC115+, PTC500+, and PTC500S. No specific firmware versions are listed, so all currently deployed units of these models are potentially vulnerable unless patched.

Risk and Exploitability

The CVSS score of 9.3 reflects critical severity, and the lack of an EPSS score does not diminish the high risk implied by the CVSS. The vulnerability is not yet listed in the CISA KEV catalog. The attack vector is remote via the camera's web interface, requiring no authentication, making exploitation highly likely if the device is reachable from an external or compromised network.

Generated by OpenCVE AI on June 19, 2026 at 01:20 UTC.

Remediation

Vendor Solution

AVer has provided a firmware fix to address this vulnerability; users can find it at the following location:  https://presentation.aver.com/DownloadFile.aspx?n=6617%7C1C01A887-7CDC-4C96-AD9A-11D53DE1AD71&t=ServiceDownload

OpenCVE Recommended Actions

  • Apply the firmware fix from AVer as described in the vendor's release at the provided URL
  • Restrict network access to the camera web interface by implementing firewall rules or placing devices on an isolated VLAN
  • Enable strong authentication mechanisms and disable any unused services or interfaces on the cameras

Generated by OpenCVE AI on June 19, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.
Title AVer PTC cameras Files or Directories Accessible to External Parties
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-18T23:54:51.183Z

Reserved: 2026-05-07T16:55:26.076Z

Link: CVE-2026-40624

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses
  • CWE-552

    Files or Directories Accessible to External Parties