Disclosure timeline for four bmcweb findings reported in February 2026. Two were quietly patched on the same day, with a single GHSA covering one of them — and the GHSA has no CVE attached. The other two remain unpatched on master. The story is less about any one bug than about how thin the path from upstream advisory to vendor firmware actually is.

I analyzed seven firmware images from a major IoT camera vendor and found shared private keys, plaintext cloud protocols, and a command injection chain — all baked into the architecture from day one. This isn’t an end-of-life problem. It’s a design problem.