SN No. HSRC-202206-01
Edit: Hikvision Security Response Center (HSRC)
Initial Release Date: 2022-06-23
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerabilities:
1) Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
2) Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.
CVSS v3 is adopted in this vulnerability scoring.
Base score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Temporal score: 6.7 (/E:P/RL:O/RC:C)
Base score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Temporal score: 5.9 (E:P/RL:O/RC:C)
Affected Versions and Fixes
|Product Name||Affected Versions|
|DS-A71024/48/72R||Versions below V2.3.8-6 (including V2.3.8-6)|
|DS-A71024/48R-CVS||Versions below V1.1.4 (including V1.1.4)|
The attacker has network access to the device.
Send a specially crafted malicious message.
Obtaining Fixed Versions
Users can download patches/updates on the Hikvision official website (Click here) to mitigate these vulnerabilities.
Source of vulnerability information:
This vulnerability is reported to HSRC by independent security researcher Thurein Soe.
To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at firstname.lastname@example.org.
Hikvision would like to thank all the security researchers who help identify and mitigate potential vulnerabilities in our products to ensure that our solutions protect people, places, and assets while user data is safeguarded.