OTPulse
FeedAboutContact

KiloView Encoder Series (Update A)

Act Now9.8ICS-CERT ICSA-26-029-01Jan 29, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

KiloView Encoder Series G1, P1, P2, RE1, E1, E1-s, and E2 hardware contain an authentication bypass vulnerability (CWE-306) that allows unauthenticated attackers to create or delete administrator accounts, granting full administrative control over the encoder. KiloView has declared these hardware versions end-of-life and states that no patches will be released due to hardware limitations. Mitigation options are network isolation or upgrade to newer hardware.

What this means
What could happen
An attacker can create or delete administrator accounts on affected KiloView encoders without authentication, gaining full control over video encoder settings and potentially altering stream configurations, credentials, or forcing service unavailability across broadcast or surveillance systems.
Who's at risk
Broadcast and video surveillance operators using KiloView Encoder Series G1, P1, P2, RE1, E1, E1-s, or E2 hardware. This affects any facility relying on these encoders for remote video transmission or streaming (sports venues, news studios, traffic monitoring centers, emergency services).
How it could be exploited
An attacker on the network sends administrative API calls or web requests to the encoder's management interface on the default port. Since no authentication is required (CWE-306), the attacker can directly manipulate user accounts, including creation of backdoor admin accounts or deletion of legitimate administrators.
Prerequisites
  • Network access to the KiloView Encoder management interface (typically port 80/443)
  • No valid credentials required
remotely exploitableno authentication requiredlow complexityno patch availableend-of-life hardware
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (10)
10 EOL
ProductAffected VersionsFix Status
Encoder Series RE1 hardware4.8.2519|4.8.2561|4.8.2611|4.8.2525No fix (EOL)
Encoder Series E1 hardware4.7.2511|4.8.2523|4.8.2611|4.6.2400|4.7.2512|4.8.2561|4.8.2554|4.3.2029|4.8.2555|4.6.2408No fix (EOL)
Encoder Series E1-s hardware4.7.2516|4.8.2519|4.8.2525|4.8.2611|4.8.2561|4.8.2554|4.8.2523No fix (EOL)
Encoder Series G1 hardwareSoftware 4.8.2561No fix (EOL)
Encoder Series P1 hardware4.8.2633|4.8.2608No fix (EOL)
Encoder Series P2 hardwareSoftware 4.8.2633No fix (EOL)
Encoder Series RE1 hardwareSoftware 4.7.2513No fix (EOL)
Encoder Series E1 hardwareSoftware 4.7.2516No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDIsolate affected KiloView Encoder Series hardware from untrusted networks using network segmentation, VLAN separation, or firewall rules to restrict access to trusted management stations only
HARDENINGRestrict network access to encoder management interfaces to authorized administrators only using firewall ACLs or IP whitelisting
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Encoder Series RE1 hardware, Encoder Series E1 hardware, Encoder Series E1-s hardware, Encoder Series G1 hardware, Encoder Series P1 hardware, Encoder Series P2 hardware, Encoder Series RE1 hardware, Encoder Series E1 hardware, Encoder Series E2 hardware, Encoder Series E2 hardware. Apply the following compensating controls:
HARDENINGPlan upgrade to newer KiloView hardware generations (non-end-of-life models) that will receive security patches
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/204590f3-99a0-42c5-9b56-c922037c3845
KiloView Encoder Series (Update A) | CVSS 9.8 - OTPulse