Insecure Hikvision security cameras can be taken over remotely

Firmware vulnerability CVE-2021-36260 was discovered in 2021 and according to a whitepaper by CYFIRMA, tens of thousands of systems use by thousands of organization across hundred of countries have still not applied the firmware update and are vulnerable to exploitation even though the firmware flaw was addressed by Hikvision via a firmware update in September 2021.

For customers under our SensorComb monitoring system, if your system is vulnerable to the CVE-2021-36260 flaw, you’ll have receive notification about it for you to update the firmware for your system.

For customers under maintenance or cctv subscription services, your system if affected, would have been upgraded by our technicians.

If you wish to check if your system is affected, you can check vie the Hikvision website with your system’s serial number. The serial number can be found in the invoice or the equipment itself.

Visit the following link and key in your equipment serial number.
https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/firmware-download/


FAQs on CVE-2021-36260

Q: What is the Command Injection Vulnerability?

A: As stated in Hikvision official HSRC-202109-01 Security Notification, a Command Injection Vulnerability was found in the web server of some Hikvision products. Due to an insufficient input validation, an attacker could potentially exploit the vulnerability to launch a command injection attack by sending a specially crafted message with malicious commands.

Q: Where can I get more information?

A: • Hikvision Security Notification. The company has released Security Notification on the company’s website on September 18th and posted on social media accounts on September 19th. 

• Security Researcher Disclosure Report 

Q: Is this a Chinese government back door?

A: No. Hikvision does not have government backdoors in our products. Watchful_IP, the security researcher who responsibly reported this vulnerability to Hikvision, stated,  “No, definitely NOT. You wouldn’t do it like this. And not all firmware types are affected.”

Q: What has Hikvision done to deal with the vulnerability?

A: Hikvision follows responsible disclosure principles and the standard Coordinated Vulnerability Disclosure Process that is widely accepted in global industries and pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way to best protects the owners and end users of software. 

On June 23, 2021, Hikvision was contacted by a security researcher, named Watchful IP, who reported a potential vulnerability in a Hikvision camera. Once we confirmed receipt of this report, Hikvision worked directly with the researcher to patch and verify the successful mitigation of the reported vulnerability.

As the researcher noted in his disclosure report that he was “pleased to note this problem was fixed in the way recommended.”

After the company and the researcher both ensured that the vulnerability had properly patched by the updated firmware, we released the Security Notification on the company’s website and social media on September 19th.


More information

https://www.hikvision.com/sg/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/

https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover

https://www.malwarebytes.com/blog/news/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely

https://nvd.nist.gov/vuln/detail/CVE-2021-36260

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260