CVE-2023-53691
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files via directory traversal in Hikvision's iSecure Center platform. It affects Hikvision CSMP (Comprehensive Security Management Platform) installations, potentially enabling remote code execution or system compromise. Organizations using affected versions are at risk.
💻 Affected Systems
- Hikvision CSMP iSecure Center
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to ransomware deployment, data exfiltration, or persistent backdoor installation across the security management infrastructure.
Likely Case
Unauthorized file upload leading to web shell installation, lateral movement within the network, and potential access to surveillance systems and security data.
If Mitigated
Limited impact with proper network segmentation, file upload restrictions, and monitoring in place, potentially only allowing file upload without execution.
🎯 Exploit Status
Exploited in the wild in 2024-2025; directory traversal via /center/api/files endpoint allows arbitrary file upload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2023-06-25
Vendor Advisory: https://www.hikvision.com/en/support/cybersecurity/security-advisory/
Restart Required: Yes
Instructions:
1. Check current version via platform interface. 2. Contact Hikvision support for patch. 3. Apply patch following vendor instructions. 4. Restart services as required. 5. Verify fix by testing endpoint.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allRestrict access to /center/api/files endpoint via web application firewall or network controls.
# Example WAF rule to block /center/api/files/*
# Example: iptables -A INPUT -p tcp --dport 80 -m string --string "/center/api/files" --algo bm -j DROP
File Upload Restrictions
linuxConfigure web server to reject file uploads with directory traversal sequences (../).
# Apache: RewriteRule ^.*(\.\./).*$ - [F]
# Nginx: if ($request_uri ~* "\.\./") { return 403; }
🧯 If You Can't Patch
- Isolate the iSecure Center system in a dedicated VLAN with strict firewall rules limiting inbound connections.
- Implement application-level monitoring for file upload attempts to /center/api/files and alert on suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Test if /center/api/files endpoint accepts file uploads with directory traversal payloads (e.g., ../../../test.txt). Use tools like curl: curl -X POST -F 'file=@test.txt' 'http://target/center/api/files/../../../test'Check Version:
Check version in iSecure Center web interface under System Information or via vendor documentation.Verify Fix Applied:
Attempt the same directory traversal file upload test; it should be rejected with appropriate error (e.g., 403 Forbidden).📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /center/api/files with ../ sequences in logs
- File creation in unexpected directories via web server logs
- Increased file upload activity to the endpoint
Network Indicators:
- Unusual outbound connections from iSecure Center server post-exploitation
- Traffic patterns indicating web shell communication
SIEM Query:
source="web_logs" AND uri="/center/api/files" AND (method="POST" OR method="PUT") AND (uri CONTAINS "../" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget")