On September 19, 2021, Hikvision released a security advisory (CVE-2021-36260) regarding an unauthenticated remote code execution vulnerability reported to them on June 21, 2021, by a researcher at Watchful IP. A firmware update available on the Hikvision official website is required to mitigate the vulnerability.
What is the nature of the vulnerability?
A critical unauthenticated remote code execution vulnerability that affects a significant range of Hikvision camera products allows the attacker more control than the owner of the device would ordinarily have. Once the attacker has access to the device network, or if the device is directly connected to the internet, an unrestricted root shell can be obtained to completely compromise the IP camera.
Once the camera is compromised, internal network connections become vulnerable to attack. No action is required by the owner and no username or password needed for the attacker to gain access; only http port access is needed.
What’s at risk?
The IP camera can be completely compromised relatively easily, and any internal networks connected to the IP camera can then be attacked. According to Watchful IP, “given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk.”
|Product Name||Affected Version(s)|
|Versions with Build time before 210625|
|Versions which Build time before 210702|
|V4.30.210 Build201224 – V4.31.000 Build210511|
|V4.30.300 Build210221 – V4.31.100 Build210511|
What can I do to protect against this vulnerability?
Apply the most recent Hikvision firmware update to all affected devices as soon as possible to patch the vulnerability. No other workaround is documented.
Hikvision Security Advisory:
Watchful IP Technical Article: