← back
CVE-2021-36260

CVE-2021-36260

CVSS 9.8 CRITICALEPSS 99.9%● KEVCWE-78
In short

A Hikvision web server fails to properly validate user input, allowing attackers to inject malicious commands that execute on the server. This can give attackers complete control over the affected device.

Technical detail

CWE-78 command injection vulnerability in Hikvision product web server stemming from insufficient input validation. An unauthenticated attacker can craft malicious messages containing OS commands that execute with server privileges, leading to complete system compromise.

Summary generated and translated by AI from the official description.
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found16
githubgithub.com/tamim1089/HikvisionExploiter363githubgithub.com/Aiminsun/CVE-2021-36260293githubgithub.com/Cuerz/CVE-2021-36260167githubgithub.com/TaroballzChen/CVE-2021-36260-metasploit20githubgithub.com/rabbitsafe/CVE-2021-3626016githubgithub.com/tuntin9x/CheckHKRCE7githubgithub.com/NanoTrash/hikvision_brute3githubgithub.com/aengussong/hikvision_probe3githubgithub.com/yanxinwu946/hikvision-unauthenticated-rce-cve-2021-362602githubgithub.com/haingn/HIK-CVE-2021-36260-Exploit1githubgithub.com/saaydmr/hikvision-exploiter1githubgithub.com/code-msga/HikvisionExploiter_fixed0githubgithub.com/shubtheone/CVE-2021-36260-hikvision0exploitdbwww.exploit-db.com/exploits/50441unverifiedcve_referencepacketstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.htmlunverifiedcve_referencepacketstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.htmlhttp://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.htmlhttps://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36260https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdfhttps://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/