Brickcom’s latest camera line harbors two high‑severity flaws that let anyone on the network view live video and grab admin control.
CISA’s advisory lists CVE‑2026‑50245, which skips authentication on the ONVIF endpoint, and CVE‑2026‑50005, which ships devices with unchanged default logins. Both affect the Cube, Dome, Bullet and Box models at firmware version 3.2.3.5.6, scoring 7.7 to 8.3 on the CVSS scale. Brickcom has not responded to coordination requests, leaving the bugs unpatched.
The practical impact is that an unauthenticated attacker could monitor premises, siphon visual data, or reconfigure cameras without detection. For sectors ranging from healthcare to finance, such blind spots translate into privacy breaches and potential sabotage of physical security systems. Network exposure is the weakest link; keeping these devices off the internet and behind firewalls buys time.
Until Brickcom releases fixes, the safest play is to isolate the cameras on a segmented VLAN, block inbound traffic, and consider temporary cover‑up solutions. In short, the flaws are severe, remain unpatched, and demand immediate network isolation or mitigation.