POSTING DATE: 2026/01/14

[VULNERABILITY ALERT] Merit Lilin | IP Camera - OS Command Injection (CVE-2026-0855)

  • Subject: [VULNERABILITY ALERT] Merit Lilin | IP Camera - OS Command Injection (CVE-2026-0855)


  • Content Description:
    • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202601-00000008
    • [Merit Lilin | IP Camera - OS Command Injection] (CVE-2026-0855, CVSS: 8.8) An OS Command Injection vulnerability exists in certain IP camera models developed by Merit Lilin. An authenticated remote attacker can inject arbitrary operating system commands and execute them on the device.
  • Affected Platforms:
    • IP Camera P2/ P3/ Z7/ P6/ V1/ IPD/ IPR/ LD/ LR series models
  • Recommended Actions:
    • IPD/IPR/LD/LR models have reached end-of-support; replacement is recommended. For other affected models, please refer to the official announcement (M00176) to update the firmware.
  • Reference Material:
    1. https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html
    2. https://www.meritlilin.com/security/indexch.html#Anchor

Computer and Communication Center
Network Systems Division, Respectfully