Full Report
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
Analysis Summary
# Vulnerability: Critical Command Injection in Hikvision Surveillance Cameras
## CVE Details
- CVE ID: CVE-2021-36260
- CVSS Score: 9.8 (Critical)
- CWE: Command Injection (Inferred from description, actual CWE not explicitly provided in text)
## Affected Systems
- Products: Hikvision Surveillance Cameras
- Versions: Unspecified vulnerable versions remain unpatched nearly a year after disclosure.
- Configurations: Any device lacking the necessary security patch. The issue may be compounded by the use of default credentials.
## Vulnerability Description
The vulnerability is a command injection flaw present in Hikvision surveillance cameras. This critical vulnerability allows attackers to execute arbitrary operating system commands on the affected devices. The sheer number of unpatched devices (over 80,000 globally) highlights widespread failure to apply the necessary security update for this flaw.
## Exploitation
- Status: PoC available (implied by public disclosure and subsequent research); Black/Gray market activity observed. Hackers are collaborating on exploitation in dark web forums, and leaked credentials are being sold.
- Complexity: Low (inferred from command injection severity and observations of widespread successful targeting).
- Attack Vector: Network (Implied by remote nature of vulnerability scanning via Shodan/Censys).
## Impact
- Confidentiality: High (Access to cameras/systems could lead to surveillance and data leakage).
- Integrity: High (Arbitrary command execution can lead to system compromise and tampering).
- Availability: High (Attackers could disrupt or disable the surveillance functionality).
## Remediation
### Patches
- No specific patch version numbers are listed in the text, but the vulnerability was disclosed 11 months prior to the article date (August 2022). Users must apply the officially released patch for CVE-2021-36260 from the vendor.
### Workarounds
- **Change Default Credentials:** Users are strongly advised to change all default or predetermined passwords immediately, as systems with weak credentials combined with this vulnerability present an immediate risk.
- **Network Segmentation/Restriction:** Isolate vulnerable IoT devices from critical network segments if direct patching is delayed.
## Detection
- **Indicators of Compromise:** Monitoring for unusual outbound network activity or unauthorized access attempts targeting the camera web interface or management ports.
- **Detection Methods and Tools:** Organizations can proactively scan their internet-facing assets using services like Shodan or Censys to identify potentially vulnerable Hikvision cameras exposed to the public internet. Forensics to confirm past breaches are reported as difficult.
## References
- Vendor Advisories: Specific vendor advisory for CVE-2021-36260 (Search vendor documentation for the CVE).
- Relevant links:
- Research Report: defanged/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf
- NIST NVD Entry: defanged/vuln/detail/CVE-2021-36260
- Threatpost Article: defanged/cybercriminals-are-selling-access-to-chinese-surveillance-cameras/180478/