Home · Live brief · Daily brief 2026-06-20
CVE-2026-40624 — AVer PTC-series conference cameras: unauthenticated RCE via the management web interface
Entities: NCSC-CH
Part of run 2026-06-20-4cfd00ef (intel · Anthropic Claude (specific model not determined))
CVE-2026-40624 (CVSS 3.1 9.8; CISA classes it CWE-552, files or directories accessible to external parties) lets a remote, unauthenticated attacker execute arbitrary code on AVer PTC500S, PTC115, PTC500+ and PTC115+ PTZ cameras by sending a crafted request to the web-based management interface (CISA ICS advisory ICSA-26-169-01, 2026-06-18). NCSC-CH echoed the advisory the following day and lists exploitation status as unknown (NCSC-CH, 2026-06-19). These cameras are common in government meeting rooms, lecture halls and legislative-chamber hybrid-meeting setups — placed adjacent to meeting infrastructure on frequently flat networks, they offer device takeover plus a lateral-movement foothold. AVer has shipped firmware fixes; interim mitigation is to put cameras on an isolated VLAN with no internet egress and restrict the management interface to trusted admin hosts. Hunt for unexpected HTTP requests to the camera management interface from non-admin subnets and any outbound connections initiated by camera IP ranges (cameras should never initiate arbitrary egress).
Action items
- Isolate and patch AVer PTC-series cameras (CVE-2026-40624): apply firmware, move cameras to a no-egress VLAN, restrict the management interface to admin hosts.