Overview
Hikvision IP camera devices contain improper authentication vulnerabilities in multiple product series that allow malicious users with network access to escalate privileges and access sensitive information. The vulnerability exists due to inadequate user authentication mechanisms in the firmware. The vulnerability was disclosed on May 6, 2017. CISA has identified CVE-2017-7921 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Hikvision IP camera devices across multiple product lines contain improper authentication vulnerabilities in their firmware versions. The vulnerability stems from inadequate authentication mechanisms that fail to properly validate user credentials and enforce appropriate access controls. This allows attackers with network access to the device to bypass authentication controls, escalate their privileges, and gain unauthorized access to sensitive information including video streams, configuration data, and system logs.
The vulnerability is classified as CWE-287 (Improper Authentication) , CWE-269 (Improper Access Control) andCWE-640 (Weak Password Recovery Mechanism for Forgotten Password) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows attackers to completely compromise affected Hikvision IP camera devices. Attackers can escalate privileges from an unauthenticated state to administrative access, enabling them to: (1) Access and view video streams and recorded footage; (2) Modify device configuration and settings; (3) Extract sensitive information including system logs and credentials; (4) Disable security features; (5) Potentially pivot into the network where the camera is deployed; (6) Create or modify user accounts for persistent access. Given that these devices are often deployed in critical surveillance infrastructure for banks, government facilities, airports, and other sensitive locations, the impact extends beyond individual device compromise to potential reconnaissance for larger infrastructure attacks.
Mitigation and workarounds
1. Download the appropriate firmware version from Hikvision's official support portal for your specific device model 2. Connect to the device's web management interface using a valid administrator account 3. Navigate to System > Firmware Upgrade 4. Select the downloaded firmware file and initiate the upgrade process 5. Allow the device to reboot (this may take several minutes) 6. Verify the upgrade was successful by checking the firmware version in System Information 7. After upgrading, reset user credentials and review access control policies 8. Consider resetting the device to factory defaults and reconfiguring if compromise is suspected The following versions include the necessary fixes: DS-2CD2xx2F-I Series: V5.4.1 and later, DS-2CD2xx0F-I Series: V5.4.1 and later, DS-2CD2xx2FWD Series: V5.4.5 and later, DS-2CD4x2xFWD Series: V5.4.1 and later, DS-2CD4xx5 Series: V5.4.1 and later, DS-2DFx Series: V5.4.6 and later, DS-2CD63xx Series: V5.3.6 and later.
As temporary workarounds: implement network segmentation to restrict access to hikvision devices. deploy the cameras on an isolated vlan with strict access control lists (acls) limiting connections to only authorized management stations and video recording systems.; deploy a firewall or intrusion prevention system (ips) configured to monitor and block suspicious authentication attempts and privilege escalation attempts to hikvision devices.; disable the web management interface if it is not required and access the device only through local connections when possible., and implement strong network-level authentication and encryption (vpn, tls 1.2+) for any administrative access to affected devices..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
