CVE-2026-0855
Published: 12 January 2026
Description
Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection vulnerability by requiring comprehensive input validation at all system entry points to block arbitrary command execution.
Addresses this specific CVE by identifying, prioritizing, and remediating the OS command injection flaw through timely patching or updates.
Ensures the organization receives and acts on security advisories detailing mitigations for CVE-2026-0855 in Merit LILIN IP cameras.
Security SummaryAI
CVE-2026-0855 is an OS Command Injection vulnerability (CWE-78) affecting certain IP camera models developed by Merit LILIN. Published on 2026-01-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
The vulnerability enables authenticated remote attackers with low privileges to inject and execute arbitrary OS commands on the affected device. Exploitation requires network access and low attack complexity but no user interaction, allowing attackers to achieve high-impact outcomes such as full device compromise, data exfiltration, or disruption of camera operations.
Advisories from TWCERT/CC detail mitigation strategies and are available at https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html and https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing IP camera application (T1190) via authenticated access, directly facilitating arbitrary OS command injection and execution through Unix Shell (T1059.004).