POSTING DATE: 2026/01/14

[VULNERABILITY ALERT] Merit Lilin | IP Camera - OS Command Injection (CVE-2026-0855)

Subject: [VULNERABILITY ALERT] Merit Lilin | IP Camera - OS Command Injection (CVE-2026-0855)

Content Description:
- Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202601-00000008
- [Merit Lilin | IP Camera - OS Command Injection] (CVE-2026-0855, CVSS: 8.8) An OS Command Injection vulnerability exists in certain IP camera models developed by Merit Lilin. An authenticated remote attacker can inject arbitrary operating system commands and execute them on the device.
Affected Platforms:
- IP Camera P2/ P3/ Z7/ P6/ V1/ IPD/ IPR/ LD/ LR series models
Recommended Actions:
- IPD/IPR/LD/LR models have reached end-of-support; replacement is recommended. For other affected models, please refer to the official announcement (M00176) to update the firmware.
Reference Material:
1. https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html
2. https://www.meritlilin.com/security/indexch.html#Anchor

Computer and Communication Center
Network Systems Division, Respectfully