Command Injection Vulnerability

    Security Notification- Command Injection Vulnerability in Some Hikvision products

    SN No.: HSRC-202109-01

    Edit: Hikvision Security Response Center (HSRC)

    Initial release date: 2021-09-19

    Download fixed firmware here: Firmware Download

    Summary:

    A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

    CVE ID:

    CVE-2021-36260

    Scoring:

    CVSS v3 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)

    Base score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

    Temporal score: 8.8 (E:P/RL:O/RC:C)

    Affected versions and resolved version:

    Information of affected versions and resolved versions:

    Precondition:

    The attacker has access to the device network or the device has direct interface with the internet

    Attack step:

    Send a specially crafted message.

    Obtaining fixed firmware:

    Users should download the updated firmware to guard against this potential vulnerability. It is available on the Hikvision official website: Firmware download

    Source of vulnerability information:

    This vulnerability is reported to HSRC by UK security researcher Watchful IP.

    Contact Us:

    Should you have a security problem or concern, please contact Hikvision Security Response Center at hsrc@hikvision.com.

     

    Ten serwis korzysta z plików cookies. Są one stosowane w celu zapamiętywania prywatnych ustawień użytkownika, oraz wygodniejszego i płynniejszego użytkowania portalu. Korzystając z serwisu wyrażasz zgodę na używanie cookies. Ustawienia te mogą być zmienione w każdej chwili w opcjach przeglądarki.  Polityka Plików Cookie i Polityka Prywatności.

    Skontaktuj się z nami