Anybody with a network path to a Brickcom camera can fetch a live snapshot by hitting the /ONVIF endpoint—no password required. CISA posted proof-of-concept details today for two CVEs affecting the entire Brickcom 3.2.3.5.6 lineup: Cube, Dome, Bullet, and Box models.
CVE-2026-50245: /ONVIF Endpoint Leaks Live Snapshots Without Authentication
The first bug is pure braindead: the camera allows unauthenticated access to live snapshot images over the /ONVIF endpoint. CWE-306 (Missing Authentication for Critical Function) gets a CVSS 4.0 score of 8.3 (HIGH). That means anyone who can reach the camera’s IP can pull a still frame of whatever that lens sees, no login, no token, no handshake. This is the kind of vulnerability that makes physical security cameras a liability, not an asset.
CVE-2026-50005: Default Credentials Let Attackers Walk Into Admin Control
Brickcom ships these cameras with default credentials still active. CVE-2026-50005 (CWE-1392, Use of Default Credentials) scores 8.3 on CVSS 4.0 and 7.7 on CVSS 3.1. The advisory warns that an unauthenticated remote attacker can silently access camera feeds and obtain administrative control. Silent is the operative word—no logs, no alerts, just a permanent backdoor for anyone who knows the factory password.
No Patch, No Response from Brickcom
CISA reports that Brickcom did not respond to the disclosure request. The only remediation offered is to contact the vendor (brickcom.com/case) or implement network isolation: firewalls, VPNs, and disconnecting cameras from the internet. Researchers parsa rezaie khiabanloo authored the proofs of concept. No known public exploitation yet, but these are not complex attacks—both are essentially fire-and-forget against unpatched hardware.
Users should treat any Brickcom camera on their network as compromised until proven otherwise. Without a fix from the manufacturer, isolating or replacing these devices is the only sane move.
Source: Brickcom Cameras
Domain: cisa.gov
Comments load interactively on the live page.