Hikvision Access Control and Intercom Products

MonitorCVSS 7.5ICS-CERT ICSA-23-285-14Oct 12, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Hikvision access control terminals and intercom systems contain vulnerabilities in session handling (CWE-384) and access control logic (CWE-284) that allow attackers on the local network to hijack user sessions and gain operator permissions, or to modify device network configuration by sending crafted packets. Affected product lines include DS-K1T804AXX, DS-K1T341AXX, DS-K1T671XXX, DS-K1T343XXX, DS-K1T341C, DS-K1T320XXX, DS-KH63, DS-KH85, DS-KH62, DS-KH9310-WTE1(B), and DS-KH9510-WTE1(B) devices with various firmware versions up to early 2023.

What this means

What could happen

An attacker could hijack an active user session on a Hikvision access control terminal or intercom and gain operator permissions to alter device configuration and settings, or modify network configuration by sending crafted packets from the same local network.

Who's at risk

Facility managers and security teams operating Hikvision access control terminals (DS-K1T series) and intercom systems (DS-KH series) in office buildings, factories, data centers, and public facilities. Any organization using these devices for physical access control should assess their network exposure and apply available mitigations.

How it could be exploited

An attacker on the local network sends specially crafted data packets to a vulnerable interface on the device, exploiting session handling weaknesses (CWE-384) or inadequate access controls (CWE-284). The attacker either hijacks an existing authenticated session to gain device operation permissions, or directly modifies network configuration settings without authentication. User interaction may be required for session hijacking variants.

Prerequisites

Local network access to the vulnerable device or its management interface
Device must be connected to the same network segment as attacker
For session hijacking: an active user session must exist on the device
No valid user credentials required for network configuration modification variant

No patch available for affected productsRemotely exploitable over networkLow complexity exploitAffects access control systems (critical for physical security)Local network access required reduces risk compared to internet-facing

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (11)

11 EOL

ProductAffected VersionsFix Status

DS-K1T804AXX: <=1.4.0_build221212≤ 1.4.0 build221212No fix (EOL)

DS-K1T671XXX: <=3.2.30_build221223≤ 3.2.30 build221223No fix (EOL)

DS-K1T343XXX: <=3.14.0_build230117≤ 3.14.0 build230117No fix (EOL)

DS-K1T341C: <=3.3.8_build230112≤ 3.3.8 build230112No fix (EOL)

DS-K1T320XXX: <=3.5.0_build220706≤ 3.5.0 build220706No fix (EOL)

DS-KH63 Series: <=2.2.8_build230219≤ 2.2.8 build230219No fix (EOL)

DS-KH85 Series: <=2.2.8_build230219≤ 2.2.8 build230219No fix (EOL)

DS-KH9310-WTE1(B): <=2.1.76_build230204≤ 2.1.76 build230204No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to access control terminals and intercom devices by placing them behind a firewall and segmenting them from business networks and internet access

HARDENINGMonitor for unauthorized changes to device network configuration and session activity logs on access control terminals

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXCheck Hikvision website for available firmware patches and apply them to all affected access control terminals and intercoms

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: DS-K1T804AXX: <=1.4.0_build221212, DS-K1T671XXX: <=3.2.30_build221223, DS-K1T343XXX: <=3.14.0_build230117, DS-K1T341C: <=3.3.8_build230112, DS-K1T320XXX: <=3.5.0_build220706, DS-KH63 Series: <=2.2.8_build230219, DS-KH85 Series: <=2.2.8_build230219, DS-KH9310-WTE1(B): <=2.1.76_build230204, DS-KH9510-WTE1(B): <=2.1.76_build230204, DS-K1T341AXX: <=3.2.30_build221223, DS-KH62 Series: <=1.4.62_build220414. Apply the following compensating controls:

HARDENINGIf remote management of access control systems is required, use a VPN connection with authentication and keep the VPN software updated to the latest version

CVEs (2)

CVE-2023-28809 CVE-2023-28810

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/31c4b464-aea7-4465-8802-de5e11a6f6bf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.