June 23, 2022
Dear Valued Partner:
Today, Hikvision has issued updated firmware on our website that fixes two vulnerabilities (CVE-2022-28171, CVE-2022-28172) in the web module of some Hikvision Hybrid SAN/cluster storage products.
The vulnerabilities have been rated with CVSS v3.1 base scores of 7.5 (high) and 6.5 (medium). The list of products affected by the vulnerability and the patching guidance can be accessed on our website. While Hikvision is not aware of these vulnerabilities being exploited in the field, we recognize that some of our partners may have installed Hikvision equipment that is affected by these vulnerabilities and we strongly encourage them to work with their customers to ensure proper cyber hygiene and install the updated firmware.
With these vulnerabilities, we want to provide you the details and timeline to reassure you of Hikvision’s strong commitment to cybersecurity. In March 2022, two potential vulnerabilities in Hikvision products were reported to the Hikvision Security Response Center (HSRC). Once the HSRC confirmed existence of the vulnerabilities, they worked directly with the reporter to patch and verify the successful mitigation of the reported vulnerabilities, following the standard Coordinated Disclosure Process.
To date, all vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware, which is readily available on the Hikvision website.
Additionally, Hikvision is a CVE Partner and is committed to continuing to work with third-party ethical hackers and security researchers to find, patch, disclose and release updates to products in a manner that best protects the users of Hikvision products.
Hikvision strictly complies with the laws and regulations in all countries and regions where we operate and we apply the highest standards of cybersecurity practices in an effort to best protect the users of Hikvision products around the world.
Please do not hesitate to contact our team with any questions or concerns.