Hikvision Cameras
Act Now10ICS-CERT ICSA-17-124-01May 4, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Hikvision camera models contain critical vulnerabilities allowing unauthenticated remote code execution. The vulnerabilities stem from improper authentication (CWE-287) and use of hard-coded credentials (CWE-260) in the camera firmware. An attacker can access the management interface without credentials and execute arbitrary system commands. Most affected camera series from 2014–2016 have no firmware patches available. Only the DS-2CD2xx2F-I Series has a patch available (V5.4.5 build 170123 or later).
What this means
What could happen
An unauthenticated attacker can access a Hikvision camera remotely and execute arbitrary commands with full system privileges. This could allow an attacker to disable cameras, alter video recordings, redirect video feeds, or use the camera as a pivot point into your network.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure using Hikvision network cameras for perimeter security or facility monitoring. Affected models include fixed dome cameras (DS-2CD2xx2FWD, DS-2CD2xx2F-I, DS-2CD4x2xFWD, DS-2CD4xx5), speed dome cameras (DS-2DFx), and turret cameras (DS-2CD2xx0F-I, DS-2CD63xx) from Hikvision's 2014–2016 product lines.
How it could be exploited
An attacker sends a specially crafted network request to the camera's management interface (typically port 80/443) without any authentication. The camera accepts the request and executes arbitrary commands, giving the attacker complete control over the device.
Prerequisites
- Network access to the camera's HTTP/HTTPS port (default 80/443)
- Camera is one of the affected Hikvision models and running a vulnerable firmware version
Remotely exploitableNo authentication requiredLow complexityActively exploited (KEV)High EPSS score (94.2%)No patch available for most modelsAffects security monitoring systems
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (7)
1 with fix1 pending5 EOL
ProductAffected VersionsFix Status
DS- 2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414≥ 5.2.0 build 140721 | ≤ 5.4.0 Build 160414No fix yet
DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125≥ 5.3.1 build 150410 | ≤ 5.4.4 Build 161125No fix (EOL)
DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421≥ 5.2.0 build 140721 | ≤ 5.4.0 Build 160421No fix (EOL)
DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401≥ 5.2.0 build 140721 | ≤ 5.4.0 Build 160401No fix (EOL)
DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106≥ 5.0.9 build 140305 | ≤ 5.3.5 Build 160106No fix (EOL)
DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530≥ 5.2.0 build 140721 | ≤ 5.4.0 build 160530V5.4.5 build 170123
DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928≥ 5.2.0 build 140805 | ≤ 5.4.5 Build 160928No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/5HOTFIXFor DS-2CD2xx2F-I Series: upgrade firmware to V5.4.5 build 170123 or later
HOTFIXFor all other affected camera models (DS-2CD2xx2FWD, DS-2CD4x2xFWD, DS-2CD4xx5, DS-2DFx, DS-2CD2xx0F-I, DS-2CD63xx): contact Hikvision support to determine end-of-life status and plan replacement or decommissioning
HARDENINGIsolate affected cameras on a separate network segment or VLAN with restricted access from engineering and office networks
WORKAROUNDRestrict network access to camera management interfaces using firewall rules; allow only from authorized monitoring stations
HARDENINGDisable remote access to cameras if not operationally required
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4080300b-b1fe-49cf-8334-a4a78e821629