CP Plus 8 Ch. Network Video Recorder

Plan PatchCVSS 8.4ICS-CERT ICSA-26-148-05May 28, 2026

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

A cross-site scripting (XSS) vulnerability exists in the CP-UNR-108F1 web interface. An attacker with administrative credentials can inject malicious JavaScript code that executes in the browser of any authenticated user who accesses the affected interface. This allows the attacker to compromise user sessions, perform unauthorized actions with the victim's privileges, steal or modify sensitive data, and degrade system integrity. The vulnerability is present in firmware version V3.2.7.128806 and system version V4.001.00AT009.0.R. CP Plus has released patched firmware version V1.00.14.01.T.260326.

What this means

What could happen

An attacker with admin credentials can inject malicious code into the web interface that executes when any user accesses it, allowing session hijacking, unauthorized actions, data theft, or manipulation of video recorder settings and recordings.

Who's at risk

Video surveillance operators and administrators managing CP Plus 8-channel network video recorders (CP-UNR-108F1 model) in security monitoring infrastructure should prioritize this update. This affects any facility relying on these recorders for physical security or compliance recording.

How it could be exploited

An authenticated administrator visits the affected web interface (likely through a stored XSS vulnerability in a configuration field or management page). The attacker's injected script runs in the administrator's browser, stealing session cookies or forcing unauthorized commands that affect video recording, archival, or system configuration.

Prerequisites

Valid administrator credentials for the CP-UNR-108F1 web interface
Ability to inject script code into an input field or parameter that is stored and reflected to users
Victim user (administrator or authenticated user) must access the compromised interface page

Remotely exploitableRequires administrator credentialsNo authentication required from attacker once admin accesses compromised pageAffects security-critical surveillance system

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

CP-UNR-108F1 Hardware: V1.0V1.0No fix yet

CP-UNR-108F1 Web: V3.2.7.128806V3.2.7.128806No fix yet

CP-UNR-108F1 System: V4.001.00AT009.0.RV4.001.00AT009.0.RNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict web interface access to the CP-UNR-108F1 to trusted administrator networks using network segmentation or firewall rules

HARDENINGRequire strong, unique administrator passwords on the CP-UNR-108F1 and enforce regular password changes

HARDENINGDisable or restrict remote access to the web interface if not operationally required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CP-UNR-108F1 firmware to version V1.00.14.01.T.260326 or later using the firmware file available from CP Plus support

CVEs (1)

CVE-2026-6824

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/64d69647-cbf3-421c-a829-2ae1c0caa785

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.