CVE-2021-36260
Last modified
CVE-2021-36260 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.87% chance of exploitation in the next 30 days.
Description
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hikvision | Ds-2cd2026g2-Iu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2046g2-Iu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2066g2-I\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2066g2-Iu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2086g2-I\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2086g2-Iu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2166g2-I\(Su\) Firmware | All versions |
| Hikvision | Ds-2cd2186g2-I\(Su\) Firmware | All versions |
| Hikvision | Ds-2cd2186g2-Isu Firmware | All versions |
| Hikvision | Ds-2cd2326g2-Isu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2346g2-Isu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2366g2-I\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2366g2-Isu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2386g2-I\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2386g2-Isu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2426g2-I Firmware | All versions |
| Hikvision | Ds-2cd2446g2-I Firmware | All versions |
| Hikvision | Ds-2cd2526g2-I\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2526g2-Is Firmware | All versions |
| Hikvision | Ds-2cd2546g2-I\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2566g2-I\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2586g2-I\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2626g2-Izsu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2646g2-Izsu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2666g2-Izs Firmware | All versions |
| Hikvision | Ds-2cd2666g2-Izsu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2686g2-Izs Firmware | All versions |
| Hikvision | Ds-2cd2686g2-Izsu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2766g2-Izs Firmware | All versions |
| Hikvision | Ds-2cd2786g2-Izs Firmware | All versions |
| Hikvision | Ds-2cd2027g2-L\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2047g2-L\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2027g2-Lu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2087g2-L\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2127g2-\(-Su\) Firmware | All versions |
| Hikvision | Ds-2cd2147g2-L\(Su\) Firmware | All versions |
| Hikvision | Ds-2cd2327g2-L\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2347g2-L\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2347g2-Lsu\/Sl Firmware | All versions |
| Hikvision | Ds-2cd2387g2-L\(U\) Firmware | All versions |
| Hikvision | Ds-2cd2527g2-Ls Firmware | All versions |
| Hikvision | Ds-2cd2547g2-Ls Firmware | All versions |
| Hikvision | Ds-2cd2547g2-Lzs Firmware | All versions |
| Hikvision | Ds-2cd2121g0-I\(W\)\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2321g0-I\/Nf Firmware | All versions |
| Hikvision | Ds-2cd2421g0-I\(D\)\(W\) Firmware | All versions |
| Hikvision | Ds-2cd2421g0-I\(D\)W Firmware | All versions |
| Hikvision | Ds-2cd2621g0-I\(Z\)\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2721g0-I\(Z\)\(S\) Firmware | All versions |
| Hikvision | Ds-2cd2121g1-I\(W\) Firmware | All versions |
Showing 50 of 256 affected configurations. See NVD for the full list.
References
- http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
- https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdfBroken Link, Exploit, Third Party Advisory
- http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
- https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdfBroken Link, Exploit, Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36260US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-36260?
How severe is CVE-2021-36260?
How do I fix CVE-2021-36260?
Are you affected by CVE-2021-36260?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST