CVE-2026-0855
📋 TL;DR
Merit LILIN IP cameras have an OS command injection vulnerability that allows authenticated remote attackers to execute arbitrary commands on the device. This affects organizations using these cameras for surveillance or monitoring. Attackers can gain full control of vulnerable cameras.
💻 Affected Systems
- Merit LILIN IP Camera models
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to pivot to internal networks, install persistent malware, disable surveillance, or use cameras as botnet nodes.
Likely Case
Attackers gain shell access to cameras, modify configurations, steal video feeds, or use devices for DDoS attacks.
If Mitigated
Limited impact if cameras are isolated in separate VLANs with strict network segmentation and authentication controls.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. No public exploit code found in provided references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html
Restart Required: Yes
Instructions:
1. Contact Merit LILIN for firmware updates. 2. Download latest firmware from vendor. 3. Upload firmware via camera web interface. 4. Reboot camera after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate cameras in separate VLAN with restricted access
Authentication Hardening
allChange default credentials and implement strong authentication
🧯 If You Can't Patch
- Segment cameras in isolated network with no internet access
- Implement strict firewall rules allowing only necessary traffic to cameras
🔍 How to Verify
Check if Vulnerable:
Check camera model and firmware version against vendor advisory. Test authenticated command injection via web interface.Check Version:
Check via camera web interface: System > Information or similar menuVerify Fix Applied:
Verify firmware version matches patched version from vendor. Test command injection attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from cameras
- Suspicious payloads in HTTP requests to camera web interface
SIEM Query:
source="camera_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*)")