Although Hikvision has released updates for the cameras, more than 2300 companies ignore them. This could allow attackers to break into their networks.
The manufacturer closed a security gap in the surveillance cameras from Hikvision in September last year with updated firmware. According to research by the security company Cyfirma, however, there are still more than 80,000 vulnerable cameras on the Internet through which attackers could penetrate networks.
Critical vulnerability
The vulnerability is a so-called command injection vulnerability in the web interface of the surveillance cameras. Due to insufficient verification of sent data, attackers could execute arbitrary commands on the devices and nest in them with a manipulated request (CVE-2021-36260, CVSS 9.8risk “critical“).
At least two exploits for the vulnerability are publicly circulating. In a security notification, Hikvision has listed the numerous affected models, explained the security gap and offers to download updated firmware that closes the vulnerability. Apparently, many IT managers who use the cameras have not included the IoT devices in the maintenance cycle.
In July of this year, Cyfirma examined a random sample of 285,000 devices that could be accessed online. Among them were 80,000 cameras that still have a vulnerable firmware version. They are available at more than 2,300 institutions in over 100 countries. The most common vulnerable models, in descending order, were China, the US, Vietnam, the UK, Ukraine, Thailand, South Africa, and France and the Netherlands.
Cybergangs Abusing Gap
In particular, Chinese cybergangs such as Mission2025/APT41 or APT10 and their affiliates and an unknown Russian cybercriminal organization could abuse the vulnerability to achieve their goals, including geopolitical ones, Cyfirma believes according to their analysis (request form). Numerous leaked access to the cameras are for sale in Russian underground forums.
Administrators should urgently check the firmware status of their Hikvision cameras and, if necessary, update them quickly so that cyber intruders do not provide an unnecessary target for attacking them. In addition, IoT devices should ideally be locked into a separate (V)LAN or isolated via a firewall so that they do not pose a threat to the rest of the company network. IT managers are also well advised to include the IoT devices in their networks in the maintenance cycle.
