The attacker has access to the device network or the device has direct interface with the internet
Send a specially crafted message.
Obtaining fixed firmware:
Users should download the updated firmware to guard against this potential vulnerability. It is available on the Hikvision official website: Firmware download
Source of vulnerability information:
This vulnerability is reported to HSRC by UK security researcher Watchful IP.
Should you have a security problem or concern, please contact Hikvision Security Response Center at email@example.com.
SN No.: HSRC-202109-01
Edit: Hikvision Security Response Center (HSRC)
Initial release date: 2021-09-19
Download fixed firmware here: Firmware Download
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVSS v3 is adopted in this vulnerability scoring（http://www.first.org/cvss/specification-document）
Base score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Temporal score: 8.8 (E:P/RL:O/RC:C)
Affected versions and resolved version:
Information of affected versions and resolved versions: