Hikvision cameras could be remotely hacked due to critical flaw

A critical issue, tracked as CVE-2021-36260, affects more than 70 Hikvision device models and can allow attackers to take over them.

A critical vulnerability, tracked as CVE-2021-36260, affects more than 70 Hikvision camera and NVR models and can allow attackers to take over the devices.

The vulnerability is an unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware, it was discovered by a security researcher that goes online with the moniker “Watchful IP.”

“The majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical remote unauthenticated code execution vulnerability even with latest firmware (as of 21 June 2021).” wrote the expert. “

“This permits an attacker to gain full control of device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.”

Upon compromising the IP camera, an attacker can also use the hacked device to access internal networks posing a risk to the infrastructure that use the devices.

The researcher pointed out that the exploitation of the issue doesn’t require user interaction, the attacker only needs access to the http(s) server port (typically 80/443).

“Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk,” continues the post. “No username or password needed nor any actions need to be initiated by the camera owner. It will not be detectable by any logging on the camera itself.”

The expert pointed out that every firmware developed since 2016 has been tested and found to be vulnerable.

The vulnerability impacts Hikvision cameras and NVRs, a list of affected products was published in the security advisory published by the vendor.

“A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.” reads the vendor’s advisory.

According to Hikvision, the vulnerability is due insufficient input validation and can be exploited by sending specially crafted messages to vulnerable devices.

The company states that the attacker can exploit the flaw only if he has access to the device network or the device has direct interface with the Internet.

The vulnerability was reported to the vendor in June, the company released firmware updates on September 19.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]