Thousands of organizations remain at risk from zero-click IP camera bug

Jai Vijayan, Dark Reading

August 29, 2022

2 Min Read
Thousands of organizations remain at risk from zero-click IP camera bug

Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.

The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don’t have, according to the researcher that discovered the flaw.

The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions.

“This is the highest level of critical vulnerability — a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras. Connected internal networks at risk,” according to the bug report.

The firmware vulnerability was discovered in June 2021 and reported to the hardware vendor, which then issued a patch for it last September. However, close to a year later, tens of thousands of affected devices — whose users include at least some federal civilian agencies — remain unpatched against the vulnerability.

Hikvision Camera Analysis

Researchers from Cyfirma recently analyzed a sample of 285,000 Internet-facing Hikvision cameras and found some 80,000 of them that are still open to exploit via the vulnerability.

The countries with the greatest number of vulnerable devices were China (12,690), the US (10,611), and Vietnam (7,394). Other countries with a sizeable number of vulnerable Hikvision cameras included the United Kingdom, Ukraine, Thailand, and South Africa. The cameras belong to more than 2,300 organizations scattered across these and other countries.

To read the complete article, visit Dark Reading.

 

About the Author

Jai Vijayan

Jai Vijayan

Dark Reading

See more from Jai Vijayan
Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community
Sign Me Up

Recent

thumbnail
IoT
AT&T to discontinue NB-IoT, but T-Mobile and Verizon keep the faithAT&T to discontinue NB-IoT, but T-Mobile and Verizon keep the faith
byMike Dano / Light Reading
Nov 21, 2024
1 Min Read
thumbnail
Software
Microsoft unveils resiliency, security enhancements following July global IT outageMicrosoft unveils resiliency, security enhancements following July global IT outage
byDavid Jones / Cybersecurity Dive
Nov 21, 2024
1 Min Read
thumbnail
Incident Command & Situational Awareness
Harnessing data for safer communitiesHarnessing data for safer communities
Nov 21, 2024
2 Min Read
thumbnail
Regulations
Trump names Brendan Carr as next FCC chairmanTrump names Brendan Carr as next FCC chairman
byDonny Jackson
Nov 19, 2024
4 Min Read