Monthly Security Summary

April 2026 — Northridge Plaza Properties

Prepared by IoTGuardian

Executive summary

April was a steady month at Northridge. The work we agreed to in the March assessment is largely on schedule: vendor coordination is moving the camera firmware rollout forward, the POS administrator password rotation is complete on all six terminals, and the network segmentation work is through design review and ready for change-window execution in the second week of May. There were no incidents this month and no findings that required immediate ownership attention.

We did encounter one item worth flagging early: a single late-month CVE in the door-access controller line your firm uses. The vendor has not released a patch and is unlikely to before retirement of the affected firmware family. We have applied the mitigation we discussed at the quarterly review (segmenting the controller onto its own VLAN with no inbound paths) and will track the vendor’s response into May.

Posture score

72 / 100

+4 from March

Internal scoring model, not an industry standard. Components: device patch currency, configuration drift, identity hygiene, segmentation, backup verification.

Changes detected this month

Devices added (3)

CAM-113Hikvision DS-2CD2387G2@ Plaza B — Lobby
Enrolled with unique credentials and patched at install.
PRT-605Brother HL-L8360CDW@ Head Office — Owner area
Default credentials replaced; placed on the office VLAN.
MOB-511iPad 10th gen@ Plaza A — Tour kit
Intune enrolled.

Firmware updates applied (2)

Cameras CAM-104 brought to V5.8.1.
Network gear refresh: UDM-Pro NET-201 to 4.0.21.

Vendor account rotations (1)

Camera vendor support account moved from a single shared login to two named technician accounts with just-in-time elevation.

Vulnerabilities reviewed

14 CVEs published this month affect product families on your inventory. 11 were not applicable. 3 were applicable: 2 patched, 1 mitigation in place. The technical appendix below has detail.

Remediations completed

The following risk-register entries were closed in April:

NRP-002
NRP-006
NRP-007
NRP-009
NRP-014
NRP-016
NRP-017
NRP-019
NRP-021

Open findings progressing

High

5→3

closed: NRP-006, NRP-007

Medium

12→10

closed: NRP-016, NRP-017

Low

8→6

closed: NRP-019, NRP-021

Technical appendix

For the client’s IT staff. Skip if you do not maintain the environment day to day.

CVE detail

CVE	CVSS	Component	Status	Notes
CVE-2026-31482	7.5	Camera RTSP stack	Patched	All twelve units on 5.8.1+.
CVE-2026-31604	6.4	UPS web UI	Patched	UPS firmware bumped on weekend window.
CVE-2026-32011	8.1	Door access controller	Mitigated	Vendor patch pending; controller isolated on its own VLAN.

Configuration diffs

Switch stack: VLAN 30 (POS) split out from VLAN 10 (office); ACL applied to deny VLAN 30 -> VLAN 10 except DNS and the property portal CIDR.
UDM-Pro: WAN inbound rule for camera vendor TCP 443 removed; vendor access now via just-in-time tool.
Intune: tablet policy baseline applied (PIN required, six-character minimum, encryption enforced, remote wipe enabled).

Audit log highlights

4 admin logins to property portal — all from listed sites + MFA.
2 failed admin logins on UDM-Pro — both from the office IP after password manager rollout day. Resolved on day-of by user re-syncing TOTP.
0 alerts from the camera VLAN egress rule.

Next month — planned activities

Complete network segmentation cut-over in the 11 May change window.
Replace the door-access controller with the vendor’s current model.
Stand up off-site immutable backup target and run first restore test.
Run the one-hour staff security-awareness session (scheduled 23 May).