CVE-2026-32644 — AI Deep Analysis Summary

🚨 **Essence**: Milesight AIOT cameras use **hardcoded default SSL private keys**. 📉 **Consequences**: Complete loss of confidentiality, integrity, and availability.…

🛡️ **Root Cause**: **CWE-321** (Use of Hard-coded Cryptographic Key). The device ships with a static private key shared across units, making encryption meaningless.

🏢 **Affected**: **Milesight** brand. Specifically **MS-Cxx63-PD** series AIOT cameras. These are smart surveillance devices integrating IoT and AI.

💀 **Attacker Capabilities**: Full **High** impact. Can read all encrypted video streams, inject malicious commands, and impersonate the camera to the network. No authentication needed.

🔓 **Exploitation Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. Network accessible, Low complexity, **No Privileges** required, No User Interaction needed. It's an open door.

🧪 **Public Exploit**: **No**. The `pocs` field is empty. However, the flaw is theoretical and trivial to exploit once the key is known. No specific PoC code is currently public.

🔍 **Self-Check**: Scan for Milesight AIOT cameras. Verify if the SSL certificate presented by the device matches the **known default private key**. Check if the key is static across multiple devices.

🩹 **Official Fix**: **Yes**. Milesight provides firmware updates. Visit their official support/download page to check for patches that replace the hardcoded key with unique per-device keys.

🚧 **No Patch Workaround**: **Isolate** the cameras on a segmented VLAN. Restrict network access to only necessary IPs. Monitor for unusual SSL/TLS handshake anomalies. Treat them as untrusted.

⚡ **Urgency**: **CRITICAL**. CVSS Score is **9.1** (High). Default keys mean any attacker on the network can compromise the device instantly. Patch immediately or isolate.