AVer PTC-series conference cameras CVE-2026-40624 — unauth RCE (CVSS 9.8), CISA ICS advisory

CVE-2026-40624 (CVSS 3.1 9.8; CISA classes it CWE-552, files or directories accessible to external parties) lets a remote, unauthenticated attacker execute arbitrary code on AVer PTC500S, PTC115, PTC500+ and PTC115+ PTZ cameras by sending a crafted request to the web-based management interface (CISA ICS advisory ICSA-26-169-01, 2026-06-18). NCSC-CH echoed the advisory the following day and lists exploitation status as unknown (NCSC-CH, 2026-06-19). These cameras are common in government meeting rooms, lecture halls and legislative-chamber hybrid-meeting setups — placed adjacent to meeting infrastructure on frequently flat networks, they offer device takeover plus a lateral-movement foothold. AVer has shipped firmware fixes; interim mitigation is to put cameras on an isolated VLAN with no internet egress and restrict the management interface to trusted admin hosts. Hunt for unexpected HTTP requests to the camera management interface from non-admin subnets and any outbound connections initiated by camera IP ranges (cameras should never initiate arbitrary egress).