Description
Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server.

The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras.
Rest of the products were fixed in version 2025-04-21.
Published: 2026-05-25
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the Kenik camera management panel that lets an unauthenticated user send a crafted GET request with an arbitrary file path and read the corresponding file from the server. This allows confidential data, such as configuration files or credentials, to be exposed to an attacker, constituting a remote file read vulnerability.

Affected Systems

The vulnerability affects the Kenik camera family including models KG-5230DAS-IL-G3, KG-5230TAS-IL-3, KG-5230TAS-IL-G3, KG-5260DZAS-IL-3, KG-5260DZAS-IL-G3, KG-5260TZAS-IL-3, KG-5260TZAS-IL-G3, and the generic KG-5260xxxx-IL-(G)2 line. All firmware versions prior to 2025-04-21 are vulnerable, except for the KG-5260xxxx-IL-(G)2 which requires at least 2026-04-23 to be secure.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, and the EPSS score is currently unavailable, though the issue has not been listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing an HTTP GET request to the camera’s management interface – no authentication is required. Successful exploitation grants read access to any file on the server, which could expose sensitive data. The threat is significant, especially for devices exposed directly to the internet or lacking proper network segmentation.

Generated by OpenCVE AI on May 25, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official firmware update: for all affected models upgrade to at least version 2025-04-21, and for the KG-5260xxxx-IL-(G)2 variant upgrade to version 2026-04-23.
  • Restrict external access to the camera management portal by placing the devices behind a firewall or VPN so that only trusted networks can reach it.
  • Enforce authentication for the management interface and monitor all access logs for anomalous file‑access attempts.

Generated by OpenCVE AI on May 25, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21.
Title Path Traversal in Kenik cameras
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-25T11:16:22.837Z

Reserved: 2026-05-04T10:01:33.811Z

Link: CVE-2026-7766

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T13:30:26Z

Weaknesses