Description
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Exploits & PoCs
- nucleiHikvision Security Checksby pdteam
- nucleiHikvision IP Camera - Info Exposureby AbdulrahmanTamim
- nucleiHikvision IP camera/NVR - Remote Command Executionby pdteam,gy741,johnk3r
References
- MISChttps://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- EXPLOIThttp://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html
- EXPLOIThttp://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html
- MISChttps://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf
- MISChttps://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/