Cybersecurity Vulnerability Could Affect Millions of Hikvision Cameras

On Sunday, video surveillance giant Hikvision posted a security advisory on its website warning customers of a cyber vulnerability that could impact millions of cameras and NVRs deployed globally.


The “command injection vulnerability” could allow threat actors to have complete control of compromised devices and was discovered by cybersecurity researcher Watchful IP in June and first reported on Monday by IPVM.


According to the security advisory, the vulnerability received a base score of 9.8 out of 10 per the Common Vulnerability Scoring System (CVSS), which Watchful IP called “the highest level of critical vulnerability.


Although the video surveillance giant has not disclosed how many products are likely impacted, posting only product names and firmware versions, IPVM estimates that more than 100 million devices could be affected.


In a letter to its partners, Hikvision informed integrators to download an updated version of firmware on its website to remediate the vulnerability.


It also said: “We recognise that many of our partners may have installed Hikvision equipment that is affected by this vulnerability, and we strongly encourage you to work with your customers to ensure proper cyber hygiene and install the updated firmware.”


Hikvision also said that it worked with Watchful IP to patch the vulnerability. Additionally, the company has patched all vulnerabilities reported to the company in its latest firmware version.


“Hikvision is a CVE Numbering Authority (CNA) and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch, disclose and release updates to products in a timely manner that is commensurate with our CVE CNA partner companies’ vulnerability management teams,” the letter adds.


“Hikvision strictly complies with the applicable laws and regulations in all countries and regions where we operate and our efforts to ensure the security of our products go beyond what is mandated.”