CVE-2026-32644

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32644 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Explicitly requires changing default authenticators, such as private keys used in SSL certificates, prior to first use, directly preventing exploitation of known default keys.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Mandates proper establishment, distribution, storage, access, and destruction of cryptographic keys, mitigating the use of default private keys in firmware SSL certificates.

SC-17 Public Key Infrastructure Certificates good match

prevent

Requires PKI certificates to be issued under approved policies from trusted providers, preventing deployment of SSL certificates with default private keys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Vulnerability in network-exposed camera firmware with hardcoded default TLS private keys directly enables remote exploitation of a public-facing service (T1190) and facilitates active Adversary-in-the-Middle attacks via server impersonation and traffic decryption (T1557).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.

Deeper analysisAI

CVE-2026-32644 is a critical vulnerability in specific firmware versions of Milesight AIOT cameras, where SSL certificates are configured with default private keys. This issue, mapped to CWE-321, enables cryptographic weaknesses due to hard-coded keys and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity across confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows high-impact outcomes, such as decrypting TLS-encrypted traffic or impersonating the camera in man-in-the-middle attacks, by leveraging knowledge of the default private keys.

CISA's ICS Advisory ICSA-26-113-03, detailed in the CSAF JSON format, along with Milesight's firmware download page, outline mitigation steps. Practitioners should review these resources to identify affected firmware versions and apply vendor-provided updates to regenerate certificates with unique private keys.