CVE-2026-4478
Published: 20 March 2026
Summary
CVE-2026-4478 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-7 requires integrity verification tools including cryptographic signatures for firmware, directly mitigating the improper verification during HTTP firmware updates.
CM-14 mandates digital signature verification of firmware components prior to deployment, preventing installation of manipulated firmware lacking valid signatures.
SR-11 enforces verification of component authenticity using cryptographic mechanisms for vendor-supplied firmware, addressing the signature bypass in the update handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Signature bypass in HTTP firmware update handler directly enables remote installation of malicious firmware (T1109/T1542.001) via exploitation of a public-facing application (T1190).
NVD Description
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is…
more
possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4478 is a vulnerability in the Yi Technology YI Home Camera 2 firmware version 2.1.1_20171024151200, affecting an unknown function within the file home/web/ipc of the HTTP Firmware Update Handler component. It stems from improper verification of cryptographic signatures (CWE-345 and CWE-347), allowing manipulated firmware updates to bypass validation. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.
The vulnerability enables remote exploitation without user interaction or privileges, though it requires high attack complexity and is considered difficult to exploit. Attackers could manipulate firmware updates to achieve full compromise of the affected camera, potentially leading to unauthorized access, data exfiltration, or device takeover. A public exploit is available and could be leveraged by adversaries.
VulDB advisories, referenced at https://vuldb.com/?ctiid.351768, https://vuldb.com/?id.351768, and https://vuldb.com/?submit.773162, detail the issue but note no vendor response despite early disclosure notification. No patches or mitigations are confirmed available from Yi Technology.
An exploit is publicly available and might be used in targeted attacks on exposed YI Home Camera 2 devices.
Details
- CWE(s)