Zero-click Hikvision Cameras RCE Flaw (CVE-2021-36260)

BACKGROUND

More than 80,000 Hikvision cameras have been discovered to be vulnerable to exploitation and
exposed on the public Internet. These vulnerabilities were fixed by Hikvision last year, however there
are still cameras that have not been updated with the latest firmware thus remain unfixed. Hikvision
has released four repair firmware since the first repair.

Any hacker with a little skill can use the vulnerability to infect these cameras or monitor or use it to
expand the botnet to launch attacks, etc. The account passwords of these cameras are being sold by
hackers, and these passwords can be used to remotely connect and control the cameras.

IMPACT

Attackers can gain access to devices and potentially even launch a physical attack.

It can be used either for "botnetting" or lateral movement.
Attackers can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

AFFECTED VERSIONS

Please install the updates immediately if your device firmware version is dated earlier than 210628 (28
June 2021).
Information of affected versions and resolved versions can be found at the link below:
Security Notification - Command Injection Vulnerability in Some Hikvision products - Command Injection Vulnerability - Hikvision

RECOMMENDATIONS

Rename the default admin account and set a new admin password.
Use a strong password or passphrase and change it regularly. Best practice is to change the password
every 3 to 6 months.
Keep camera devices only on a local network.
Enable multi-factor authentication for devices to prevent unauthorized access to accounts.
If the camera is wirelessly capable, turn on WPA2 Encryption to prevent eavesdroppers from
connecting or accessing video feeds.
Keep your software up to date. Install the latest available firmware update
(https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notificationcommand-injection-vulnerability-in-some-hikvision-products/security-notification-commandinjection-vulnerability-in-some-hikvision-products/)
Be sure to always backup video footage.
Isolate the IoT network from critical assets using a firewall or VLAN.

References

https://www.bleepingcomputer.com/news/security/over-80-000-exploitable-hikvisio…

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-n…

https://securityonline.info/cve-2021-36260-zero-click-hikvision-cameras-rce-fla…

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260

https://urgentcomm.com/2022/08/29/thousands-of-organizations-remain-at-risk-fro…