Connect with us

Hi, what are you looking for?

Cyber Security

Zero-click RCE vulnerability in Hikvision security cameras could lead to network compromise

A zero-click vulnerability in a popular IoT security camera could allow an unauthenticated attacker to gain full access to the device and possibly internal networks, a researcher has warned.

The researcher, dubbed ‘Watchful IP’, has released details of the unauthenticated remote code execution (RCE) bug in certain products from Hikvision, a Chinese manufacturer and world’s biggest network camera brand.

In a blog post, they described how the security vulnerability, tracked as CVE-2021-36260, could enable a malicious actor to completely takeover an internet-connected camera and potentially internal networks.

The critical bug – awarded 9.8 on the CVSS scale of severity – enables the actor to gain “far more access than even the owner of the device has as they are restricted to a limited ‘protected shell’ (psh) which filters input to a predefined set of limited, mostly informational commands”, Watchful IP explained.

“In addition to complete compromise of the IP camera, internal networks can then be accessed and attacked.

“This is the highest level of critical vulnerability – a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras.”

They added: “Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk.”

Long-standing bug

The researcher claims that firmware has been susceptible to the bug since as far back as 2016.

Hikvision has acknowledged the findings and has patched the issue. The company has also released a security advisory detailing which products are at risk.

A summary reads: “Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.”

The advisory also contains an extensive list of vulnerable versions.

The Daily Swig has reached out to the researcher for more information and will update this article accordingly.

Source: https://portswigger.net/daily-swig/zero-click-rce-vulnerability-in-hikvision-security-cameras-could-lead-to-network-compromise

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO