{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1241", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-01-20T18:26:34.854Z", "datePublished": "2026-02-26T19:21:26.754Z", "dateUpdated": "2026-02-26T20:43:53.216Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sarix Professional IMP 3 Series", "vendor": "Pelco, Inc.", "versions": [{"lessThanOrEqual": "02.52", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Sarix Professional IXP 3 Series", "vendor": "Pelco, Inc.", "versions": [{"lessThanOrEqual": "02.52", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Sarix Professional IBP 3 Series", "vendor": "Pelco, Inc.", "versions": [{"lessThanOrEqual": "02.52", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Sarix Professional IWP 3 Series", "vendor": "Pelco, Inc.", "versions": [{"lessThanOrEqual": "02.52", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Souvik Kandar"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.<br>"}], "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-02-26T19:21:26.754Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.<br><br>More information can be found by visiting Pelco, Inc's technical support page (<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.pelco.com/support\">https://www.pelco.com/support</a>) for assistance.<br>"}], "value": "Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.\n\nMore information can be found by visiting Pelco, Inc's technical support page ( https://www.pelco.com/support ) for assistance."}], "source": {"discovery": "UNKNOWN"}, "title": "Authentication Bypass Using an Alternate Path or Channel in Pelco, Inc. Sarix Pro 3 Series IP Cameras", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T20:43:12.875844Z", "id": "CVE-2026-1241", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:43:53.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1241", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T20:43:12.875844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:43:17.816Z"}}], "cna": {"title": "Authentication Bypass Using an Alternate Path or Channel in Pelco, Inc. Sarix Pro 3 Series IP Cameras", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Souvik Kandar"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pelco, Inc.", "product": "Sarix Professional IMP 3 Series", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "02.52"}], "defaultStatus": "unaffected"}, {"vendor": "Pelco, Inc.", "product": "Sarix Professional IXP 3 Series", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "02.52"}], "defaultStatus": "unaffected"}, {"vendor": "Pelco, Inc.", "product": "Sarix Professional IBP 3 Series", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "02.52"}], "defaultStatus": "unaffected"}, {"vendor": "Pelco, Inc.", "product": "Sarix Professional IWP 3 Series", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "02.52"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.\n\nMore information can be found by visiting Pelco, Inc's technical support page ( https://www.pelco.com/support ) for assistance.", "supportingMedia": [{"type": "text/html", "value": "Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.<br><br>More information can be found by visiting Pelco, Inc's technical support page (<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.pelco.com/support\">https://www.pelco.com/support</a>) for assistance.<br>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.", "supportingMedia": [{"type": "text/html", "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-02-26T19:21:26.754Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1241", "state": "PUBLISHED", "dateUpdated": "2026-02-26T20:43:53.216Z", "dateReserved": "2026-01-20T18:26:34.854Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-02-26T19:21:26.754Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges."}, {"lang": "es", "value": "Las c\u00e1maras Pelco, Inc. Sarix Professional 3 Series son vulnerables a un problema de omisi\u00f3n de autenticaci\u00f3n en su interfaz de gesti\u00f3n web. El fallo se deriva de una aplicaci\u00f3n inadecuada de los controles de acceso, permitiendo que cierta funcionalidad sea accedida sin la autenticaci\u00f3n adecuada. Esta debilidad puede conducir a la visualizaci\u00f3n no autorizada de transmisiones de video en vivo, creando preocupaciones de privacidad y riesgos operativos para las organizaciones que dependen de estas c\u00e1maras. Adem\u00e1s, puede exponer a los operadores a desaf\u00edos regulatorios y de cumplimiento."}], "id": "CVE-2026-1241", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-02-26T20:31:33.657", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,02.52]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "sarix_professional_ibp_3_series", "vendor": "pelco"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,02.52]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "sarix_professional_imp_3_series", "vendor": "pelco"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,02.52]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "sarix_professional_iwp_3_series", "vendor": "pelco"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,02.52]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "sarix_professional_ixp_3_series", "vendor": "pelco"}], "analysis": {"en": {"generated_at": "2026-04-17T14:16:54.980617+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update (02.53 or later) to all Sarix Professional 3 Series cameras.", "If a firmware upgrade is not immediately possible, restrict or disable the web management interface and enforce network segmentation so only trusted devices can reach it.", "Implement strict access controls on the camera\u2019s management interface, such as firewall rules or VPN tunnels, to limit exposure to authorized personnel only."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access / Live Stream Viewing"}, "threat_synthesis": {"affected_systems": "Pelco, Inc. Sarix Professional 3 Series IP cameras, including the IBP 3 Series, IMP 3 Series, IWP 3 Series, and IXP 3 Series models. Cameras running firmware versions earlier than 02.53 are affected.", "description_and_impact": "The vulnerability is an authentication bypass in the web management interface of Pelco, Inc. Sarix Professional 3 Series cameras. It results from inadequate enforcement of access controls, allowing unauthorized users to view live video streams. This creates privacy concerns, operational risks, and may expose organizations to regulatory and compliance challenges.", "risk_and_exploitability": "The CVSS score of 8.7 denotes high severity. The EPSS score of <1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The flaw can be leveraged by an attacker who can send requests to the camera's web management interface, bypassing authentication controls and retrieving unencrypted live video streams. The attack likely occurs over HTTP/HTTPS and does not require local access or privileged credentials."}}}}, "created": "2026-02-27T09:07:08.302500+00:00", "updated": "2026-04-17T14:30:20.813251+00:00", "vendors": ["pelco", "pelco$PRODUCT$sarix_professional_ibp_3_series", "pelco$PRODUCT$sarix_professional_imp_3_series", "pelco$PRODUCT$sarix_professional_iwp_3_series", "pelco$PRODUCT$sarix_professional_ixp_3_series"]}