cbcvebase.
CVE-2026-1241
published 2026-02-26

CVE-2026-1241: The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from…

PriorityP261high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.35%
26.6th percentile
The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.

Affected

4 ranges
VendorProductVersion rangeFixed in
pelco_incsarix_professional_ibp_3_series<= 02.52
pelco_incsarix_professional_imp_3_series<= 02.52
pelco_incsarix_professional_iwp_3_series<= 02.52
pelco_incsarix_professional_ixp_3_series<= 02.52

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass in the web management interface of Pelco Sarix Professional 3 Series cameras (IMP/IXP/IBP/IWP) running firmware <= 02.52; certain functionality is accessible without authentication, potentially exposing live video streams.
  • The vulnerability is network-accessible with no privileges or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N); monitor for unauthenticated HTTP requests to the camera web management interface on affected devices.
  • Affected firmware versions to flag in asset inventory: Sarix Professional IMP/IXP/IBP/IWP 3 Series firmware <= 02.52.
  • ·No known public exploitation has been reported at time of advisory publication; no specific exploit code, IOCs, or attack tooling has been publicly disclosed for this CVE.
  • ·The bypass mechanism (alternate path or channel, CWE-288) is described only at a high level; the specific unauthenticated endpoint or parameter is not disclosed in available sources, limiting precise signature creation.

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.3MEDIUM
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.