The Cybersecurity and Infrastructure Security Agency (CISA) published advisory ICSA-26-169-01 on June 18, 2026, alerting organizations to a maximum-severity vulnerability in multiple AVer PTC camera models. Tracked as CVE-2026-40624, the flaw carries a CVSS score of 9.8 out of 10 and could allow unauthenticated attackers to execute arbitrary code on affected devices. The cameras are deployed across government, commercial, and healthcare facilities globally, making this a threat with sweeping potential impact.

CISA’s release did not detail the specific technical root cause, but the agency’s warning level and the near-perfect severity score signal a vulnerability that is remotely exploitable, requires no user interaction, and grants attackers full control over the targeted system. That combination often points to a flaw in network-facing services—such as a buffer overflow in a web interface or a command injection in a configuration protocol—that can be weaponized to drop malware, pivot into internal networks, or conscript the camera into a botnet.

AVer Information Inc., the Taiwanese manufacturer, produces a broad portfolio of conferencing and surveillance cameras. Its PTC series includes pan-tilt-zoom models used in lecture halls, courtrooms, medical training labs, and corporate boardrooms. Because these devices frequently sit on the same logical network as sensitive servers and endpoint devices, a compromise can expose far more than the camera’s own video feed. In many installations, the cameras are managed through Windows-based software, such as AVer’s PTZ Management or third-party NVR solutions. An attacker who seizes control of the camera could leverage it as a stepping stone to move laterally toward domain controllers, file servers, or healthcare records databases.

What We Know About CVE-2026-40624 So Far

CISA’s advisory explicitly warns that the vulnerability may enable code execution. That means an attacker could run arbitrary commands or binaries on the camera’s operating system. Modern IP cameras often run lightweight Linux builds, and they rarely receive the same rigorous patching cadence as general-purpose computers. Once an attacker gains a shell, they can install persistent backdoors, exfiltrate configuration data, or intercept video streams. The risk escalates if the camera has credentials stored for other network resources—such as an SMTP server or an FTP backup location—because those credentials could be harvested and reused.

The CVE entry was first reserved on a date prior to the advisory, and details remain limited while AVer and CISA coordinate disclosure. ICS-CERT advisories typically follow a responsible disclosure timeline, giving vendors time to develop patches before publicizing vulnerabilities. In some cases, active exploitation is already underway by the time an advisory drops. CISA did not confirm whether this vulnerability has been spotted in the wild, but the urgency of the announcement suggests that a proof-of-concept may already exist or that the exploitation barrier is exceptionally low.

AVer has yet to release a comprehensive list of affected firmware versions or model numbers on its security page at the time of writing. However, based on previous ICS-CERT practice, the advisory will be updated with specifics as patches become available. Users of any AVer PTC model—especially those with internet-facing administrative interfaces—should assume they are at risk until the vendor confirms otherwise.

Why the CVSS 9.8 Score Matters

A CVSS base score of 9.8 represents the severe edge of the severity scale. For a vulnerability to reach that level, it must meet nearly all of the following criteria: network attack vector, low complexity, no privileges required, no user interaction, and a high impact on confidentiality, integrity, and availability. In other words, a remote attacker can exploit the flaw with no prior access, no trickery against a user, and can completely compromise the device’s confidentiality, integrity, and availability. That effectively means full remote control.

Such vulnerabilities are rare but not unheard of in IoT and embedded devices. In 2024, a memory corruption flaw in a widely used IP camera SDK received a 9.8 score, and attackers used it to build massive botnets. The Mirai-style botnet model thrives on devices that cannot be easily patched or monitored. Even when patches are available, many organizations neglect camera firmware for years, leaving them exposed.

The Windows Connection

While the cameras themselves run embedded operating systems, their management ecosystem is often deeply intertwined with Windows environments. AVer provides PTZ Management software that runs on Windows, and many third-party video management systems (VMS) from vendors like Milestone or Genetec are Windows-exclusive. If a compromised camera can push malicious data back to the VMS server—for example, by exploiting a client-side vulnerability in the management console—the attack surface extends directly to the Windows domain.

Even without such a two-step attack, a breached camera provides an attacker a foothold on the local subnet. From there, they can scan for Windows systems, launch credential-theft tools like Responder, or exploit unpatched SMB vulnerabilities. In healthcare settings, where AVer cameras are common in operating rooms and training simulators, a network-borne threat can quickly escalate into a patient safety concern if medical devices or EHR systems become collateral damage.

CISA’s advisory therefore resonates far beyond the physical security team. IT administrators responsible for Windows infrastructure must treat this as a critical patch-and-isolate event. Network segmentation, already a best practice for IoT devices, moves from recommendation to requirement when a 9.8-rated remote execution bug is in play. VLAN isolation and strict firewall rules should prevent cameras from initiating connections to sensitive networks, and any management software should be hardened with the assumption that the cameras it controls are potentially hostile.

Recommendations for Immediate Action

CISA’s advisory includes typical mitigation steps, but organizations should act decisively:

  • Isolate affected devices: Immediately remove any AVer PTC camera from the internet or restrict its access to strictly necessary internal subnets using firewall rules. Disable UPnP and port forwarding rules that might expose the camera’s administrative interface to the WAN.
  • Monitor for patches: Check AVer’s official support portal and subscribe to CISA’s ICS advisory updates. The advisory number ICSA-26-169-01 will be updated with patch links and revision history.
  • Harden management workstations: If you use Windows-based management software for these cameras, ensure that workstations are fully patched and that users operate with least privilege. Consider using a dedicated, air-gapped management PC if possible.
  • Audit network logs: Look for unexpected outbound connections from camera IPs, especially to unfamiliar external addresses. Command-and-control traffic might resemble HTTPS or DNS tunneling.
  • Enable logging and alerting: SIEM rules that flag new processes spawned by camera management services or unusual traffic from camera VLANs can provide early detection if exploitation occurs before patching.
  • Apply network segmentation retroactively: If cameras have been sharing a flat network with business systems, now is the time to implement VLANs and access control lists that strictly limit what those cameras can talk to.

The Bigger Picture: IoT Security in Critical Environments

CVE-2026-40624 is not an outlier. The convergence of physical and digital security has doubled the attack surface in hospitals, government buildings, and corporate campuses. Cameras, badge readers, environmental sensors, and industrial controllers all run complex software stacks that receive far less security scrutiny than their IT counterparts. Yet they are often granted the same network privileges.

CISA’s ongoing Binding Operational Directive 23-01 pushes federal agencies to inventory and manage assets, but the private sector lags. A 2026 Ponemon Institute report found that 64% of organizations had experienced an IoT-related security incident in the past two years, with cameras being the most commonly targeted device. The reason is simple: cameras are everywhere, they process rich data, and they are notoriously hard to patch without disrupting operations.

For AVer’s customers, the stakes are particularly high in healthcare. A camera in a surgical suite captures protected health information (PHI). Under HIPAA, a breach of that data can trigger mandatory reporting, fines, and reputational damage. If an attacker uses the camera as a pivot to access a patient records system, the fallout multiplies.

Governments and educational institutions face similar risks. AVer PTCs are used in legislative chambers, distance learning setups, and public safety dispatch centers. A compromised camera in a courtroom, for example, could not only record proceedings but also inject malware into the court’s evidence management system.

How to Stay Ahead of the Next Advisory

CISA’s ICS advisories are published twice a week and often go unnoticed outside of industrial control system circles. Yet many of the devices covered—cameras, routers, UPS units—sit in standard enterprise IT environments. Windows administrators should integrate ICS-CERT feeds into their vulnerability management workflow. Tools like the CISA Known Exploited Vulnerabilities catalog and the NVD API can be automated to flag high-severity hardware flaws.

For organizations running large fleets of IP cameras, a dedicated firmware lifecycle management process is essential. That means maintaining an accurate inventory with model numbers and firmware versions, testing patches in a lab before production, and having a rollback plan. It also means budgeting for the eventual end-of-life of hardware that can no longer be patched—a reality that few departments plan for when they purchase a camera expected to last a decade.

Conclusion

CVE-2026-40624 is a stark reminder that the devices we trust to monitor our most sensitive spaces can become entry points for attackers. With a 9.8 CVSS score, remote code execution capability, and deployment in critical sectors, this vulnerability demands immediate and aggressive mitigation. CISA’s advisory gives organizations the official go-ahead to pull vulnerable cameras offline if necessary, and it should prompt a broader review of how these devices are integrated into Windows-centric networks. Until AVer releases firmware updates and confirmed model lists, the safest posture is to treat every AVer PTC camera as a potential threat and to isolate it accordingly.