Brickcom Cameras (CVE-2026-50245, CVE-2026-50005)

What Happened

Certain Brickcom security cameras have flaws that could allow unauthorized people on the network to view live video feeds and take control of the devices. This affects the Cube, Dome, Bullet, and Box camera models running version 3.2.3.5.6. This is concerning because it compromises physical security and privacy for organizations using these cameras. Users should ensure these cameras are not directly accessible from the internet and place them behind firewalls or VPNs, as the manufacturer has not yet released a fix.

Key Takeaways

• Brickcom Cube, Dome, Bullet, and Box cameras (version 3.2.3.5.6) are affected by two high-severity vulnerabilities.
• CVE-2026-50245 allows unauthenticated access to live snapshot images via the /ONVIF endpoint.
• CVE-2026-50005 involves the use of default credentials, allowing silent access to camera feeds.
• The vendor has not responded to CISA's coordination requests, meaning no official patches are currently available.
• While the advisory summary mentions remote attackers, the CVSS vector (AV:L) and CISA's notes indicate the vulnerabilities are not exploitable remotely over the internet without prior local network access.

Affected Systems

• Brickcom Cube 3.2.3.5.6
• Brickcom Dome 3.2.3.5.6
• Brickcom Bullet 3.2.3.5.6
• Brickcom Box 3.2.3.5.6

Vulnerabilities (CVEs)

• CVE-2026-50245
• CVE-2026-50005

Attack Chain

An attacker gains access to the local network where a vulnerable Brickcom camera is deployed. To exploit CVE-2026-50245, the attacker sends requests to the /ONVIF endpoint, retrieving live snapshot images without requiring authentication. Alternatively, to exploit CVE-2026-50005, the attacker logs into the camera's management interface using known default credentials, granting them silent access to live feeds and administrative control over the device.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — Brickcom cameras are embedded IoT devices that do not support the installation of standard EDR agents. Network Visibility: Medium — Network monitoring tools can detect unauthorized access to the /ONVIF endpoint or unusual login attempts, provided the traffic is unencrypted or inspected. Detection Difficulty: Moderate — Detecting exploitation requires network-level visibility into the camera's management interface and the ability to distinguish legitimate administrative access (like an NVR polling the camera) from unauthorized access.

Required Log Sources

• Network flow logs
• Web proxy logs
• Firewall logs

Hunting Hypotheses

Control Gaps

• Lack of EDR telemetry on IoT devices
• Vendor unresponsiveness preventing official patch deployment

Key Behavioral Indicators

• HTTP requests to the /ONVIF endpoint without proper authentication headers
• Successful logins to the camera interface using known default Brickcom credentials

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify all Brickcom cameras on the network and ensure they are not directly accessible from the internet.
• Change all default credentials on Brickcom devices immediately to mitigate CVE-2026-50005.

Infrastructure Hardening

• Isolate IP cameras and IoT devices on dedicated VLANs with strict firewall rules preventing inbound access from untrusted networks.
• Require VPN access for any remote management of camera systems, ensuring the VPN itself is fully patched and secure.

User Protection

• N/A

Security Awareness

• N/A

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1078.001 - Valid Accounts: Default Accounts