Do Son 
- CVE: CVE-2026-40624
- CVSS: 9.8 (Critical · CVSSv3)
- Product: AVer PTC500S
- Impact: AVer PTC cameras Files or Directories Accessible to External Parties
- Status: No confirmed exploitation yet
- EPSS: 0.6% (30-day)
- Action: Update to the latest firmware
TL;DR
CISA published advisory ICSA-26-169-01 on June 18, 2026. It warns of an AVer PTC camera flaw tracked as CVE-2026-40624. The bug scores a critical CVSS 9.8 and grants remote code execution.
Why It Matters
AVer PTC cameras sit in government, healthcare, and commercial facilities worldwide. Therefore, one weak device can expose an entire network. A remote, unauthenticated attacker needs no password to strike. These cameras often share flat networks with meeting infrastructure. As a result, a hijacked unit can hand an intruder a lateral-movement foothold.
How the Attack Works
The AVer PTC camera flaw stems from improper input validation. CISA maps it to CWE-552, which covers files exposed to outside parties. An attacker sends a crafted request to the web management interface. As a result, the camera runs attacker-supplied code. The bug also needs no user interaction. No working exploit appears here.
Affected Versions
The advisory marks every firmware version as vulnerable. Notably, the affected models are PTC500S, PTC115, PTC500+, and PTC115+.
Patch and Mitigation
AVer has shipped a firmware fix, so apply it now. Grab the update from AVer’s download page. Until you patch, isolate cameras on a separate VLAN. Also block internet access and limit the management interface to trusted hosts. Then watch camera logs for odd web requests from non-admin subnets. So far, no public exploitation has been confirmed.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
