A critical vulnerability has been reported in multiple products from Hikvision, a Chinese state-controlled manufacturer and supplier of civilian and military surveillance equipment. According to the report, the malicious exploitation of this flaw would allow the deployment of dangerous intrusions on the affected devices.
Tracked as CVE-2021-36260, this vulnerability exists due to improper input validation on affected devices, which would allow unauthenticated remote threat actors to pass specially crafted data and execute arbitrary commands on the target system, cybersecurity experts mentioned.
This vulnerability received a score of 8.8/10 according to the Common Vulnerability Scoring System (CVSS), as its malicious exploitation would allow threat actors to compromise affected systems completely.
According to the report, the flaw lies in the following Hikvision products and versions:
- DS-2CVxxx1: Versions earlier than v210625
- DS-2CVxxx6: All versions
- HWI-xxxx: All versions
- IPC-xxxx: all versions
- DS-2CD1xx1: All versions
- DS-2CD1x23G0E(C): All versions
- DS-2CD1x43(B): All versions
- DS-2CD1x43(C): All versions
- DS-2CD1x43G0E: All versions
- DS-2CD1x53(B): All versions
- DS-2CD1x53(C): All versions
- DS-2CD1xx7G0: All versions
- DS-2CD2xx6G2: All versions
- DS-2CD2xx6G2(C): All versions
- DS-2CD2xx7G2: All versions
- DS-2CD2xx7G2(C): All versions
- DS-2CD2x21G0(C): All versions
- DS-2CD2x21G1(C): All versions
- DS-2CD2xx3G2: All versions
- DS-2CD3xx6G2: All versions
- DS-2CD3xx6G2(C): All versions
- DS-2CD3xx7G2: All versions
- DS-2CD3xx7G2(C): All versions
- DS-2CD3xx7G0E: All versions
- DS-2CD3x21G0: All versions
- DS-2CD3x21G0(C): All versions
- DS-2CD3x51G0(C): All versions
- DS-2CD3xx3G2: All versions
- DS-2CD4xx0: All versions
- DS-2CD4xx6: All versions
- iDS-2XM6810: All versions
- iDS-2CD6810: All versions
- DS-2XE62x2F(D): All versions
- DS-2XC66x5G0: All versions
- DS-2XE64x2F(B): All versions
- DS-2CD8Cx6G0: All versions
- (i)DS-2PTxxxx: All versions
- (i)DS-2SE7xxxx: All versions
- DS-2DYHxxxx: All versions
- DS-2DY9xxxx: All versions
- PTZ-Nxxxx: All versions
- HWP-Nxxxx: All versions
- DS-2DF5xxxx: All versions
- DS-2DF6xxxx: All versions
- DS-2DF6xxxx-Cx: All versions
- DS-2DF7xxxx: All versions
- DS-2DF8xxxx: All versions
- DS-2DF9xxxx: All versions
- iDS-2PT9xxxx: All versions
- iDS-2SK7xxxx: All versions
- iDS-2SK8xxxx: All versions
- iDS-2SR8xxxx: All versions
- iDS-2VSxxxx: All versions
- DS-2TBxxx: All versions
- DS-Bxxxx: All versions
- DS-2TDxxxxB: All versions
- DS-2TD1xxx-xx: All versions
- DS-2TD2xxx-xx: All versions
- DS-2TD41xx-xx/Wx: All versions
- DS-2TD62xx-xx/Wx: All versions
- DS-2TD81xx-xx/Wx: All versions
- DS-2TD4xxx-xx/V2: All versions
- DS-2TD62xx-xx/V2: All versions
- DS-2TD81xx-xx/V2: All versions
- DS-76xxNI-K1xx(C): All versions
- DS-76xxNI-Qxx(C): All versions
- DS-HiLookI-NVR-1xxMHxx-C(C): All versions
- DS-HiLookI-NVR-2xxMHxx-C(C): All versions
- DS-HiWatchI-HWN-41xxMHxx(C): all versions
- DS-HiWatchI-HWN-42xxMHxx(C): All versions
- DS-71xxNI-Q1xx(C): All versions
- DS-HiLookI-NVR-1xxMHxx-D(C): All versions
- DS-HiLookI-NVR-1xxHxx-D(C): All versions
- DS-HiWatchI-HWN-21xxMHxx(C): All versions
- DS-HiWatchI-HWN-21xxHxx(C): All versions
- DS-2CD1x23G0: All versions
- DS-2CD2xx1G0: All versions
- DS-2CD2xx1G1: All versions
- DS-2CD2x27G1: All versions
- DS-2CD2x27G3E: All versions
- DS-2CD4xx6FWD: All versions
- DS-2CD4xx5G0: All versions
- DS-2XE6xx5G0: All versions
- DS-2XE6xx2F: All versions
- DS-2XM6xx2FWD: All versions
- DS-2XM6xx2G0: All versions
- (i)DS-2DExxxx: All versions
While the vulnerability could be exploited by unauthenticated threat actors, no active exploitation attempts have been recorded so far. However, cybersecurity specialists report the availability of an exploit linked to this flaw, so they recommend users of affected implementations to apply the available patches as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.