On September 19, 2021, Hikvision released a security advisory (CVE-2021-36260) regarding an unauthenticated remote code execution vulnerability reported to them on June 21, 2021, by a researcher at Watchful IP. A firmware update available on the Hikvision official website is required to mitigate the vulnerability.
What is the nature of the vulnerability?
A critical unauthenticated remote code execution vulnerability that affects a significant range of Hikvision camera products allows the attacker more control than the owner of the device would ordinarily have. Once the attacker has access to the device network, or if the device is directly connected to the internet, an unrestricted root shell can be obtained to completely compromise the IP camera.
Once the camera is compromised, internal network connections become vulnerable to attack. No action is required by the owner and no username or password needed for the attacker to gain access; only http port access is needed.
What’s at risk?
The IP camera can be completely compromised relatively easily, and any internal networks connected to the IP camera can then be attacked. According to Watchful IP, “given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk.”
Affected versions
| Product Name | Affected Version(s) |
|---|---|
| DS-2CVxxx1 DS-2CVxxx6 | Versions with Build time before 210625 |
| HWI-xxxx | |
| IPC-xxxx | |
| DS-2CD1xx1 | |
| DS-2CD1x23G0 DS-2CD1x23G0E(C) DS-2CD1x43(B) DS-2CD1x43(C) DS-2CD1x43G0E DS-2CD1x53(B) DS-2CD1x53(C) | |
| DS-2CD1xx7G0 | |
| DS-2CD2xx6G2 DS-2CD2xx6G2(C) DS-2CD2xx7G2 DS-2CD2xx7G2(C) | |
| DS-2CD2x21G0 DS-2CD2x21G0(C) DS-2CD2x21G1 DS-2CD2x21G1(C) | |
| DS-2CD2xx3G2 | |
| DS-2CD3xx6G2 DS-2CD3xx6G2(C) DS-2CD3xx7G2 DS-2CD3xx7G2(C) | |
| DS-2CD3xx7G0E | |
| DS-2CD3x21G0 DS-2CD3x21G0(C) DS-2CD3x51G0(C) | |
| DS-2CD3xx3G2 | |
| DS-2CD4xx0 DS-2CD4xx6 iDS-2XM6810 iDS-2CD6810 | |
| DS-2XE62x2F(D) DS-2XC66x5G0 DS-2XE64x2F(B) | |
| DS-2CD8Cx6G0 | |
| (i)DS-2DExxxx | |
| (i)DS-2PTxxxx | |
| (i)DS-2SE7xxxx | |
| DS-2DYHxxxx | |
| DS-2DY9xxxx | |
| PTZ-Nxxxx | |
| HWP-Nxxxx | |
| DS-2DF5xxxx DS-2DF6xxxx DS-2DF6xxxx-Cx DS-2DF7xxxx DS-2DF8xxxx DS-2DF9xxxx | |
| iDS-2PT9xxxx | |
| iDS-2SK7xxxx iDS-2SK8xxxx | |
| iDS-2SR8xxxx | |
| iDS-2VSxxxx | |
| DS-2TBxxx DS-Bxxxx DS-2TDxxxxB | Versions which Build time before 210702 |
| DS-2TD1xxx-xx DS-2TD2xxx-xx | |
| DS-2TD41xx-xx/Wx DS-2TD62xx-xx/Wx DS-2TD81xx-xx/Wx DS-2TD4xxx-xx/V2 DS-2TD62xx-xx/V2 DS-2TD81xx-xx/V2 | |
| DS-76xxNI-K1xx(C) DS-76xxNI-Qxx(C) DS-HiLookI-NVR-1xxMHxx-C(C) DS-HiLookI-NVR-2xxMHxx-C(C) DS-HiWatchI-HWN-41xxMHxx(C) DS-HiWatchI-HWN-42xxMHxx(C) | V4.30.210 Build201224 – V4.31.000 Build210511 |
| DS-71xxNI-Q1xx(C) DS-HiLookI-NVR-1xxMHxx-D(C) DS-HiLookI-NVR-1xxHxx-D(C) DS-HiWatchI-HWN-21xxMHxx(C) DS-HiWatchI-HWN-21xxHxx(C) | V4.30.300 Build210221 – V4.31.100 Build210511 |
What can I do to protect against this vulnerability?
Apply the most recent Hikvision firmware update to all affected devices as soon as possible to patch the vulnerability. No other workaround is documented.
Resources
CISA Advisory:
https://us-cert.cisa.gov/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260
Hikvision Security Advisory:
https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/
Watchful IP Technical Article:
https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
