Milesight Security Notice – HTTP API Vulnerability in NVR Products

Date: 2025-04-29

At Milesight, we take product security seriously. As part of our ongoing commitment to safeguarding users and systems, we continuously monitor for potential vulnerabilities and act swiftly to mitigate risks.

A recent internal security review has identified a vulnerability in the HTTP API interface of Milesight NVR devices. This issue may arise if the HTTP port is exposed to the public network (for instance, via port forwarding). Under such configurations, an attacker could potentially exploit the device to launch attacks on other networked systems.

Risk Overview

• Issue: When the HTTP service of a Milesight NVR is accessible from the internet, it may be abused by malicious actors as a relay to perform attacks against external systems.
• Impact: The device may be manipulated to participate in harmful activity unrelated to its intended function.
• Affected Products:
  • MS-N1004-xxxx
  • MS-N1008-xxxx
  • MS-N5008-xxxx
  • MS-N5016-xxxx
  • MS-N7016-xxxx
  • MS-N7032-xxxx
  • MS-N7048-xxxx
  • MS-N8032-xxxx
  • MS-N8064-xxxx

Remediation

An updated firmware version has been developed to eliminate this vulnerability. We advise all users to upgrade their devices promptly.

• Firmware Download: Download Here
• Future Availability: The firmware will also be accessible via the Milesight official website and will support cloud-based updates in upcoming releases.

Next Steps for Users

• If your device is accessible from the internet, immediately disable external HTTP access until the firmware is updated.
• Download and apply the latest firmware as linked above.
• Monitor network activity for any abnormal behavior if external exposure has occurred.

Reporting Security Issues

We encourage all users and partners to report potential security vulnerabilities to help us maintain the integrity of Milesight products.

Please submit reports using the following format:

• Subject: Vulnerability Report - [Product Name] - [Brief Summary]
• Submit to: security@milesight.com
• Learn more: Milesight Vulnerability Reporting Policy