Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN101
_____________________________________________________________________

DATE                : 02/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running KiloView Encoder Series.

=====================================================================
https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01#
_____________________________________________________________________

 KiloView Encoder Series


Release Date
January 29, 2026

Alert Code
ICSA-26-029-01

Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems


Summary

Successful exploitation of this vulnerability could allow an 
unauthenticated attacker to create or delete administrator accounts, 
granting full administrative control.

The following versions of KiloView Encoder Series are affected:

    Encoder Series E1 hardware Version 1.4 4.7.2516 (CVE-2026-1453)

    Encoder Series E1 hardware Version 1.6.20 
4.7.2511|4.8.2523|4.8.2611|4.6.2400|4.7.2512|4.8.2561|4.8.2554|4.3.
2029|4.8.2555|4.6.2408 (CVE-2026-1453)

    Encoder Series E1-s hardware Version 1.4 
4.7.2516|4.8.2519|4.8.2525|4.8.2611|4.8.2561|4.8.2554|4.8.2523 
(CVE-2026-1453)

    Encoder Series E2 hardware Version 1.7.20 4.8.2611|4.8.2561 
(CVE-2026-1453)

    Encoder Series E2 hardware Version 1.8.20 
4.8.2523|4.8.2611|4.8.2554 (CVE-2026-1453)

    Encoder Series G1 hardware Version 1.6.20 4.8.2561 (CVE-2026-1453)

    Encoder Series P1 hardware Version 1.3.20 4.8.2633|4.8.2608 
(CVE-2026-1453)

    Encoder Series P2 hardware Version 1.8.20 4.8.2633 (CVE-2026-1453)

    Encoder Series RE1 hardware Version 2.0.00 4.7.2513 (CVE-2026-1453)

    Encoder Series RE1 hardware Version 3.0.00 
4.8.2519|4.8.2561|4.8.2611|4.8.2525 (CVE-2026-1453)


CVSS     Vendor      Equipment            Vulnerabilities
v3 9.8 	KiloView     KiloView Encoder Series   Missing Authentication 
for Critical Function


Background

    Critical Infrastructure Sectors: Communications, Information 
Technology
    Countries/Areas Deployed: Worldwide
    Company Headquarters Location: China


Vulnerabilities


CVE-2026-1453

A missing authentication for critical function vulnerability in 
KiloView Encoder Series could allow an unauthenticated attacker to 
create or delete administrator accounts. This vulnerability can grant 
the attacker full administrative control over the product.

View CVE Details

Affected Products

KiloView Encoder Series


Vendor:
KiloView

Product Version:
KiloView Encoder Series E1 hardware Version 1.4: 4.7.2516, KiloView 
Encoder Series E1 hardware Version 1.6.20: 
4.7.2511|4.8.2523|4.8.2611|4.6.2400|4.7.2512|4.8.2561|4.8.2554|4.3.2029
|4.8.2555|4.6.2408, KiloView Encoder Series E1-s hardware Version 1.4: 
4.7.2516|4.8.2519|4.8.2525|4.8.2611|4.8.2561|4.8.2554|4.8.2523, 
KiloView Encoder Series E2 hardware Version 1.7.20: 4.8.2611|4.8.2561, 
KiloView Encoder Series E2 hardware Version 1.8.20: 
4.8.2523|4.8.2611|4.8.2554, KiloView Encoder Series G1 hardware 
Version 1.6.20: 4.8.2561, KiloView Encoder Series P1 hardware Version 
1.3.20: 4.8.2633|4.8.2608, KiloView Encoder Series P2 hardware Version 
1.8.20: 4.8.2633, KiloView Encoder Series RE1 hardware Version 2.0.00: 
4.7.2513, KiloView Encoder Series RE1 hardware Version 3.0.00: 
4.8.2519|4.8.2561|4.8.2611|4.8.2525

Product Status:
known_affected


Remediations

Mitigation

KiloView has not responded to requests to work with CISA to mitigate 
this vulnerability. Users of affected versions of KiloView Encoder 
Series are invited to contact KiloView customer support for additional 
information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics

CVSS Version 	Base Score 	Base Severity 	Vector String
3.1 	9.8 	CRITICAL 	
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Acknowledgments

    Muhammad Ammar (0xam225) reported this vulnerability to CISA


Legal Notice and Terms of Use

This product is provided subject to this Notification 
(https://www.cisa.gov/notification) and this Privacy & Use policy 
(https://www.cisa.gov/privacy-policy).


Recommended Practices

CISA recommends users take defensive measures to minimize the risk of 
exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or 
systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and 
isolating them from business networks.

When remote access is required, use more secure methods, such as 
Virtual Private Networks (VPNs), recognizing VPNs may have 
vulnerabilities and should be updated to the most current version 
available. Also recognize VPN is only as secure as the connected 
devices.

CISA reminds organizations to perform proper impact analysis and risk 
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended 
practices on the ICS webpage on cisa.gov/ics. Several CISA products 
detailing cyber defense best practices are available for reading and 
download, including Improving Industrial Control Systems Cybersecurity 
with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity 
strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly 
available on the ICS webpage at cisa.gov/ics in the technical 
information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion 
Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow 
established internal procedures and report findings to CISA for 
tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect 
themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email 
messages.

Refer to Recognizing and Avoiding Email Scams for more information on 
avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more 
information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability 
has been reported to CISA at this time.


Revision History

    Initial Release Date: 2026-01-29

Date 	Revision 	Summary
2026-01-29 	1 	Initial Publication


Legal Notice and Terms of Use

This product is provided subject to this Notification and this Privacy 
& Use policy.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================