CISA 2026-06-18

AVer PTC cameras

CVE-2026-40624

Machine-generated analysis · WAYSCloud LLM

The advisory states that all versions of the affected AVer PTC camera models are vulnerable to arbitrary code execution via a crafted web request.

Context

AVer PTC cameras are used in government services, commercial facilities, and healthcare facilities according to the advisory. The vulnerability stems from improper input validation that allows a remote, unauthenticated attacker to execute arbitrary code. The CVSS score is rated 9.8 (Critical) under version 3.1 and 9.3 (Critical) under version 4.0. A firmware fix is available from the vendor.

Operator considerations

Check: Inventory all AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras in use.
Patch: Apply the firmware update provided by AVer at the specified URL.
Log: Monitor network traffic to and from the cameras for suspicious web requests.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could allow arbitrary code execution.

The following versions of AVer PTC cameras are affected:

PTC500S vers:all/* (CVE-2026-40624)

PTC115 vers:all/* (CVE-2026-40624)

PTC500+ vers:all/* (CVE-2026-40624)

PTC115+ vers:all/* (CVE-2026-40624)

Vendor

Equipment

AVer

AVer PTC cameras

Files or Directories Accessible to External Parties

Critical Infrastructure Sectors: Government Services and Facilities, Commercial Facilities, Healthcare and Public Health

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Taiwan

Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.

AVer PTC cameras

MitigationAVer has provided a firmware fix to address this vulnerability; users can find it at t...

Read the full advisory on CISA →