in , ,

Unauthenticated RCE bug in Hikvision IP camera/NVR firmware

The majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical remote unauthenticated code execution vulnerability even with latest firmware (as of 21 June 2021). Some older models are affected also as far back as at least 2016. Some NVRs are also affected, though this is less widespread.

This is being tracked as CVE-2021-36260

This permits an attacker to gain full control of device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.

In addition to complete compromise of the IP camera, internal networks can then be accessed and attacked.

Exploit code of CVE-2021-36260

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Pre-Auth Takeover Bug in GoCD

Use-After-Free in Voice Control: CVE-2021-30902 Write-up – ZecOp