CVE-2021-36260
📋 TL;DR
CVE-2021-36260 is a critical command injection vulnerability in Hikvision web servers that allows unauthenticated attackers to execute arbitrary commands on affected devices. This affects various Hikvision surveillance products including IP cameras, NVRs, and access control systems. Organizations using vulnerable Hikvision devices are at risk of complete system compromise.
💻 Affected Systems
- Hikvision IP cameras
- Hikvision NVRs
- Hikvision access control systems
- Various Hikvision surveillance products
📦 What is this software?
Ds 2cd2121g0 I\(w\)\(s\) Firmware by Hikvision
Ds 2cd2421g0 I\(d\)\(w\) Firmware by Hikvision
Ds 2cd2421g0 I\(d\)\(w\) Firmware by Hikvision
Ds 2cd2621g0 I\(z\)\(s\) Firmware by Hikvision
Ds 2cd2626g2 Izsu\/sl Firmware by Hikvision
Ds 2cd2646g2 Izsu\/sl Firmware by Hikvision
Ds 2cd2666g2 Izsu\/sl Firmware by Hikvision
Ds 2cd2686g2 Izsu\/sl Firmware by Hikvision
Ds 2cd2721g0 I\(z\)\(s\) Firmware by Hikvision
Ds 2df5225x Ae3\(t3\) Firmware by Hikvision
Ds 2df5225x Ael\(t3\) Firmware by Hikvision
Ds 2df5232x Ae3\)t3\) Firmware by Hikvision
Ds 2df5232x Ael\(t3\) Firmware by Hikvision
Ds 2df6a225x Ael\)t3\) Firmware by Hikvision
Ds 2df6a236x Ael\(t3\) Firmware by Hikvision
Ds 2df6a425x Ael\(t3\) Firmware by Hikvision
Ds 2df6a436x Ael\(t3\) Firmware by Hikvision
Ds 2df6a436x Ael\(t5\) Firmware by Hikvision
Ds 2df6a436x Aely\(t5\) Firmware by Hikvision
Ds 2df6a836x Ael\(t5\) Firmware by Hikvision
Ds 2df7225ix Ael\(t3\) Firmware by Hikvision
Ds 2df7225ix Aelw\(t3\) Firmware by Hikvision
Ds 2df7232ix Ael\(t3\) Firmware by Hikvision
Ds 2df7232ix Aelw\(t3\) Firmware by Hikvision
Ds 2df8225ih Ael\(w\) Firmware by Hikvision
Ds 2df8225ix Ael\(t3\) Firmware by Hikvision
Ds 2df8225ix Ael\(t5\) Firmware by Hikvision
Ds 2df8225ix Aelw\(t3\) Firmware by Hikvision
Ds 2df8225ix Aelw\(t5\) Firmware by Hikvision
Ds 2df8242i5x Ael\(t3\) Firmware by Hikvision
Ds 2df8242i5x Aelw\(t3\) Firmware by Hikvision
Ds 2df8242i5x Aelw\(t5\) Firmware by Hikvision
Ds 2df8242ix Ael\(t5\) Firmware by Hikvision
Ds 2df8242ix Aelw\(t3\) Firmware by Hikvision
Ds 2df8242ix Aely\(t3\) Firmware by Hikvision
Ds 2df8250i8x Ael\(t3\) Firmware by Hikvision
Ds 2df8425ix Ael\(t3\) Firmware by Hikvision
Ds 2df8425ix Ael\(t5\) Firmware by Hikvision
Ds 2df8425ix Aelw\(t3\) Firmware by Hikvision
Ds 2df8425ix Aelw\(t5\) Firmware by Hikvision
Ds 2df8436i5x Aelw\(t3\) Firmware by Hikvision
Ds 2df8442ixs Ael\(t5\) Firmware by Hikvision
Ds 2df8442ixs Aelw\(t2\) Firmware by Hikvision
Ds 2df8442ixs Aelw\(t5\) Firmware by Hikvision
Ds 2df8442ixs Aelwy\(t5\) Firmware by Hikvision
View all CVEs affecting Ds 2df8442ixs Aelwy\(t5\) Firmware →
Ds 2df8442ixs Aely\(t5\) Firmware by Hikvision
Ds 2df8a442ixs Ael\(t2\) Firmware by Hikvision
Ds 2df8a442ixs Ael\(t5\) Firmware by Hikvision
Ds 2df8a442ixs Aely\(t5\) Firmware by Hikvision
View all CVEs affecting Ds 2df8a442ixs Aely\(t5\) Firmware →
Ds 2df8a442ixs Af\/sp\(t5\) Firmware by Hikvision
View all CVEs affecting Ds 2df8a442ixs Af\/sp\(t5\) Firmware →
Ds 2df8a442ixs Af\/sp\(t5\) Firmware by Hikvision
View all CVEs affecting Ds 2df8a442ixs Af\/sp\(t5\) Firmware →
Ds 2df8a442nxs Ael\(t5\) Firmware by Hikvision
Ds 2df8a442nxs Ael\(t5\) Firmware by Hikvision
Ds 2df8a842ixs Ael\(t5\) Firmware by Hikvision
Ds 2dy9236i8x A\(t3\) Firmware by Hikvision
Ds 2dy9250izs A\(t5\) Firmware by Hikvision
Ds 2dyh2a0ixs D\(t2\) Firmware by Hikvision
Ds 2td6267 100c4l\/wy Firmware by Hikvision
Ds 2td8166 100c2f\/v2 Firmware by Hikvision
Ds 2td8166 150ze2f\/v2 Firmware by Hikvision
Ds 2td8166 150zh2f\/v2 Firmware by Hikvision
Ds 2td8166 180ze2f\/v2 Firmware by Hikvision
Ds 2td8167 150zc4f\/w Firmware by Hikvision
Ds 2td8167 190ze2f\/w Firmware by Hikvision
Ds 2td8167 190ze2f\/wy Firmware by Hikvision
Ds 2td8167 230zg2f\/w Firmware by Hikvision
Ds 2td8167 230zg2f\/wy Firmware by Hikvision
Ds 2xe6242f Is\/316l\(b\) Firmware by Hikvision
View all CVEs affecting Ds 2xe6242f Is\/316l\(b\) Firmware →
Ds 2xe6442f Izhrs\(b\) Firmware by Hikvision
Ds 2xe6452f Izh\(r\)s Firmware by Hikvision
Ids 2pt9a144mxs D\/t2 Firmware by Hikvision
Ids 2vs435 F840 Ey\(t3\) Firmware by Hikvision
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, installation of persistent backdoors, lateral movement to internal networks, data exfiltration, and device bricking.
Likely Case
Unauthenticated remote code execution leading to camera manipulation, surveillance footage theft, credential harvesting, and botnet recruitment.
If Mitigated
Limited impact if devices are isolated in separate VLANs with strict network segmentation and egress filtering.
🎯 Exploit Status
Multiple public exploit scripts available. Actively exploited in the wild since 2021. Exploitation requires sending specially crafted HTTP requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates released September 2021 and later
Vendor Advisory: https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
Restart Required: Yes
Instructions:
1. Identify affected Hikvision devices. 2. Download latest firmware from Hikvision portal. 3. Backup configuration. 4. Apply firmware update via web interface. 5. Reboot device. 6. Verify update successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Hikvision devices in separate VLAN with strict firewall rules
Web Interface Restriction
linuxBlock external access to web interface via firewall rules
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Immediately isolate affected devices from internet and critical internal networks
- Implement strict network access controls allowing only necessary traffic to/from devices
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Hikvision advisory. Test with nmap scripts or Metasploit module.Check Version:
Check web interface System Information page or use SNMP queries if enabledVerify Fix Applied:
Verify firmware version is patched (post-September 2021). Test with known exploit scripts to confirm failure.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to device management endpoints
- Command execution patterns in system logs
- Failed authentication attempts followed by successful command execution
Network Indicators:
- HTTP requests containing command injection payloads to /SDK/webLanguage
- Unusual outbound connections from surveillance devices
- Traffic to known C2 servers from IoT devices
SIEM Query:
source="hikvision*" AND (url="*/SDK/webLanguage*" OR http_method="POST" AND uri_contains("$" OR "|" OR ";"))🔗 References
- http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html
- http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html
- https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/
- https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html
- http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html
- https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/
- https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36260
