Security researchers from Cyfirma recently discovered that over 80,000 Hikvision surveillance cameras are still susceptible to a critical vulnerability that was patched in a security update over 2 years ago. CVE-2021-36260, which was added to the National Vulnerability Database in January of 2022, allows attackers to exploit Hikvision cameras due to their lack of input validation. Attackers exploiting this vulnerability can send malicious HTTP requests to the camera’s web server through server port 443, allowing them to immediately root the device. The unrestricted root shell gives the attacker access to camera data, enables them to enlist the camera in a botnet, and allows them to attack the camera server further. The vulnerability has a CVSS score of 9.8, just 0.2 points shy of reaching the maximum possible score.
The Scope of the Hikvision Vulnerability
Despite being an extremely critical vulnerability, the security update that neutralizes CVE-2021-36260 has yet to be implemented by a multitude of organizations, 2300 in total across 100 different countries according to Cyfirma. It spans across several different older versions of Hikvision firmware as well. “The vulnerability affects Hikvision products that use firmware versions V5.5.0 and earlier, V5.6.0 to V5.6.10, and V5.7.0 to V5.7.3,” noted Check Point Research.
Top 10 Countries Using Vulnerable Hikvision Camera Products
IoT Devices Require Stronger Security
Cyfirma believes that Chinese threat groups such as MISSION2025/APT41, APT10, and even various Russian threat actor groups could potentially exploit the security cameras. “Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment,” Cyfirma wrote in their report. It seems that the issues caused by the simple lack of these security firmware updates are extremely expansive in nature, almost too expansive to main unpatched in so many instances. Why haven’t all the companies with outdated firmware pushed out the update to all their cameras? Overall, the organizations that deal with IoT devices like Hikvision cameras require more powerful security measures, including regular password updates and robust access controls, in order to further fortify the security of their systems.
The Vulnerability of the IoT
The commonality of CVE-2021-36260 2 years after the security patch shows the broader challenge with securing IoT devices. As Paul Bischoff, a privacy advocate with Comparitech, points out, “IoT devices such as cameras are not always as straightforward to secure as mobile applications. Updates are not automated; users must manually download and install them, and many users may never receive the notification.” Additionally, IoT devices may not offer clear indications of their security status and/or whether they require updates, unlike more user-friendly systems like smartphones. This makes the devices much harder to secure, which in the grand scheme of things leaves many devices vulnerable to exploitation. The situation is further exacerbated by the fact that some Hikvision cameras are shipped with preset passwords, which users often neglect to change. Because of these issues, it is imperative for organizations and users to take proactive measures in securing their IoT devices, including promptly applying security updates as soon as they come out and configuring robust access controls to mitigate the risks associated with vulnerabilities like CVE-2021-36260. Failure to do so not only puts your devices risk but also poses potential threats to the broader network and organizational security.
In conclusion, the fact that over 80,000 Hikvision surveillance cameras are still vulnerable to a critical security flaw despite a security update being available for over two years highlights the essential importance of regularly updating your IoT devices, including Hikvision cameras, to the latest firmware. Neglecting security updates not only puts these devices at risk but also leaves them susceptible to exploits. It’s necessary that all owners of Hikvision cameras update their firmware as soon as possible to avoid this issue. Keeping both your firmware and your team updated is the best way to avoid exploitation.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –