List of Hikvision devices with security error CVE-2021-36260

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

SN No.: HSRC-202109-01

Edit: Hikvision Security Response Center (HSRC)

Initial release date: 2021-09-19

CVE ID:

CVE-2021-36260

Scoring:

CVSS v3 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)

Base score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal score: 8.8 (E:P/RL:O/RC:C)

Affected versions and resolved version:

Your device firmware is affected by this security vulnerability (CVE-2021-36260) if its version dated earlier than 210628. Please install the updates immediately. Information of affected versions and resolved versions:

STTMÃ SẢN PHẨMPHIÊN BẢN ẢNH HƯỞNG
1DS-2CVxxx1
DS-2CVxxx5
DS-2CVxxx6
Versions which Build time before 210625
2IPC-xxxxVersions which Build time before 210625
3DS-2CD1xx1Versions which Build time before 210625
4DS-2CD1x23
DS-2CD1x43(B)
DS-2CD1x43(C)
DS-2CD1x43G0E
DS-2CD1x53(B)
DS-2CD1x53(C)
Versions which Build time before 210625
5DS-2CD1xx7G0Versions which Build time before 210625
6DS-2CD2xx6G2
DS-2CD2xx7G2
Versions which Build time before 210625
7DS-2CD2x21G0Versions which Build time before 210625
8DS-2CD2xx3G2Versions which Build time before 210625
9DS-2CD3xx6G2
DS-2CD3xx7G2
Versions which Build time before 210625
10DS-2CD3xx7G0EVersions which Build time before 210625
11DS-2CD3x21G0
DS-2CD3x51G0
Versions which Build time before 210625
12DS-2CD3xx3G2Versions which Build time before 210625
12DS-2CD4xx0
DS-2CD4xx6
DS-2CD5xx7
DS-2CD5xx5
iDS-2XM6810
iDS-2CD6810
Versions which Build time before 210625
14DS-2XE62x7FWD(D)
DS-2XE30x6FWD(B)
DS-2XE60x6FWD(B)
DS-2XE62x2F(D)
DS-2XC66x5G0
DS-2XE64x2F(B)
Versions which Build time before 210625
15DS-2CD7xx6G0
DS-2CD8Cx6G0
Versions which Build time before 210625
16KBA18(C)-83x6FWDVersions which Build time before 210625
17(i)DS-2DExxxxVersions which Build time before 210625
18(i)DS-2PTxxxxVersions which Build time before 210625
19(i)DS-2SE7xxxxVersions which Build time before 210625
20DS-2DYHxxxxVersions which Build time before 210625
21DS-DY9xxxxVersions which Build time before 210625
22PTZ-NxxxxVersions which Build time before 210625
23DS-2DF5xxxx
DS-2DF6xxxx
DS-2DF6xxxx-Cx
DS-2DF7xxxx
DS-2DF8xxxx
DS-2DF9xxxx
Versions which Build time before 210625
24iDS-2PT9xxxxVersions which Build time before 210625
25iDS-2SK7xxxx
iDS-2SK8xxxx
Versions which Build time before 210625
26iDS-2SR8xxxxVersions which Build time before 210625
27iDS-2VSxxxxVersions which Build time before 210625
28DS-2TBxxx
DS-Bxxxx
DS-2TDxxxxB
Versions which Build time before 210702
29DS-2TD1xxx-xx
DS-2TD2xxx-xx
Versions which Build time before 210702
30DS-2TD41xx-xx/Wx
DS-2TD62xx-xx/Wx
DS-2TD81xx-xx/Wx
DS-2TD4xxx-xx/V2
DS-2TD62xx-xx/V2
DS-2TD81xx-xx/V2
Versions which Build time before 210702
31DS-76xxNI-K1xx(C)
DS-76xxNI-Qxx(C)
DS-HiLookI-NVR-1xxMHxx(C)
DS-HiLookI-NVR-2xxMHxx(C)
DS-HiWatchI-HWN-41xxMHxx(C)
DS-HiWatchI-HWN-42xxMHxx(C)
V4.30.210 Build201224 – V4.31.000 Build210511
32DS-71xxNI-Q1xx(C)
DS-HiLookI-NVR-1xxMHxx(C)
DS-HiLookI-NVR-1xxHxx(C)
DS-HiWatchI-HWN-21xxMHxx(C)
DS-HiWatchI-HWN-21xxHxx(C)
V4.30.300 Build210221 – V4.31.100 Build210511
33DS-2CD1x23G0
DS-2CD2xx1G0
DS-2CD2xx1G1
DS-2CD2x27G1
DS-2CD2x27G3E
DS-2CD4xx6FWD (Non-ANPR)
DS-2CD4xx5G0
DS-2XE6xx5G0
DS-2XE6xx2F
DS-2XM6xx2FWD
DS-2XM6xx2G0
(i)DS-2DExxxx
Versions before (not include) V5.5.0 build xxxxxx

Precondition:

The attacker has access to the device network or the device has direct interface with the internet

Attack step:

Send a specially crafted message.

Obtaining fixed firmware:

Users should download the updated firmware to guard against this potential vulnerability. It is available on the Hikvision official website: Firmware download. Users can also use the Search Tool for Important Firmware Update to quickly detect critical vulnerabilities and download corresponding firmware.

Thank you for watching!!!

Source: https://www.hikvision.com/