Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.

Specific firmware versions of Milesight AIOT cameras contain a critical vulnerability where SSL certificates are configured with default private keys. This security flaw allows attackers to potentially intercept and decrypt SSL/TLS communications intended to be secure. The vulnerability affects multiple firmware versions across Milesight's AIOT camera product line. CISA has issued an advisory (ICSA-26-113-03) regarding this issue. Organizations using affected Milesight AIOT cameras should update to patched firmware versions immediately. The use of default cryptographic keys represents a fundamental security weakness that can be exploited for man-in-the-middle attacks.