Command Injection Vulnerability

    Precondition:

    The attacker has access to the device network or the device has direct interface with the internet

    Attack step:

    Send a specially crafted message.

    Obtaining fixed firmware:

    Users should download the updated firmware to guard against this potential vulnerability. It is available on the Hikvision official website: Firmware download

    Source of vulnerability information:

    This vulnerability is reported to HSRC by UK security researcher Watchful IP.

    Contact Us:

    Should you have a security problem or concern, please contact Hikvision Security Response Center at hsrc@hikvision.com.

     

    Security Notification- Command Injection Vulnerability in Some Hikvision products

    SN No.: HSRC-202109-01

    Edit: Hikvision Security Response Center (HSRC)

    Initial release date: 2021-09-19

    Download fixed firmware here: Firmware Download

    Summary:

    A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

    CVE ID:

    CVE-2021-36260

    Scoring:

    CVSS v3 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)

    Base score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

    Temporal score: 8.8 (E:P/RL:O/RC:C)

    Affected versions and resolved version:

    Information of affected versions and resolved versions:

    This website uses cookies to store info on your device. Cookies help our website work normally and show us how we can improve your user experience.
    By continuing to browse the site you are agreeing to our cookie policy and privacy policy.

    Contact
    back to top
    Top