Critical RCE Flaw in Milesight Cameras: East Africa Alert

Severity: CRITICAL | Source: CISA ICS Advisory ICSA-26-113-03

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control Systems (ICS) advisory confirming multiple critical vulnerabilities in Milesight IP cameras, specifically the MS-Cxx63-PD series running firmware version 51.7.0.77-r12 and below. The confirmed CVEs include CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, and CVE-2026-20756.

Successful exploitation allows an attacker to crash the camera device entirely or execute arbitrary remote code - meaning an attacker on the same network, or reachable over the internet, can take full control of the device without physical access. These are not theoretical risks. CISA does not publish ICS advisories for low-likelihood scenarios.

Milesight cameras are among the most widely deployed surveillance solutions across East Africa due to their competitive pricing and availability through regional distributors. They are found in bank branches, government buildings, border checkpoints, hospital perimeters, data centers, and power substations across Kenya, Ethiopia, Somalia, Uganda, and Tanzania.

Impact Assessment for East African Organizations

Financial Services: Banks and SACCOs in Kenya, Ethiopia, and Somalia use IP cameras as part of branch physical security infrastructure. These cameras are frequently connected to the same network segments as teller workstations and ATM networks. A compromised camera gives an attacker a live foothold inside the network - directly violating CBK Cybersecurity Guidelines and PCI-DSS network segmentation requirements.

Government and Border Security: Kenyan and Ethiopian government facilities, including immigration and border control points, rely on CCTV infrastructure for both security and compliance. Remote code execution on a camera at a border post could allow adversaries to disable surveillance, manipulate footage, or pivot deeper into government networks - a significant national security exposure.

Power and Critical Infrastructure: Electricity generation and distribution facilities across the region, including Kenya Power substations and Ethiopia's EEPCO installations, use perimeter cameras as part of their physical-cyber security stack. Operational Technology (OT) environments are particularly vulnerable because firmware patching cycles are slow and network isolation is often incomplete.

Healthcare: Hospitals and health facilities funded by international donors across Somalia and Ethiopia have expanded their physical security infrastructure. Many of these environments have no dedicated security team to monitor camera firmware versions, making them easy targets.

Immediate Actions - Do This Now

• Audit your camera inventory immediately. Identify all Milesight MS-Cxx63-PD units on your network. Check firmware versions via the camera admin panel or your VMS (Video Management System). Any device on firmware 51.7.0.77-r12 or below is vulnerable.
• Apply the vendor firmware patch without delay. Visit the official Milesight support portal and download the latest firmware for affected models. Prioritize cameras connected to or near critical network segments.
• Isolate vulnerable cameras on a dedicated VLAN. If patching cannot happen immediately, segment all IP cameras onto an isolated network with no lateral access to corporate or OT systems. This is a required control under ISO 27001 Annex A.13 and CBK guidelines.
• Disable remote access and UPnP on all camera devices. If your cameras are accessible directly from the internet, take them offline now. No surveillance feed is worth a full network compromise. Verify your firewall rules block inbound connections to camera management ports.
• Check your VMS logs for anomalous connections. Look for unexpected login attempts, configuration changes, or outbound traffic from camera IP addresses. Any unusual activity should be treated as a potential active intrusion and escalated immediately.

DRONGO Recommendation

Many East African organizations have no visibility into the firmware versions running on their physical security hardware. DRONGO's OT and Physical Security Audit service provides a full inventory of vulnerable network-connected devices - cameras, access control systems, and ICS equipment - mapped against current CVE databases, with a prioritized remediation plan delivered within 5 business days.

Is your organization protected? Request a free security assessment.