Hikvision cameras are exposed online
Security researchers have discovered over 80,000 Hikvision cameras vulnerable to a critical command injection flaw that’s easily exploitable via specially crafted messages sent to the vulnerable web server.
The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021.
New HTTP Request Smuggling Attacks Target Web Browsers
There have been two known public exploits for CVE-2021-36260, one published in October 2021 and the second in February 2022, so threat actors of all skill levels can search for and exploit vulnerable cameras.
In December 2021, a Mirai-based botnet called ‘Moobot’ used the particular exploit to spread aggressively and enlist systems into DDoS (distributed denial of service) swarms.
Vulnerable and exploited
CYFIRMA says Russian-speaking hacking forums often sell network entrance points relying on exploitable Hikvision cameras that can be used either for “botnetting” or lateral movement.
Of an analyzed sample of 285,000 internet-facing Hikvision web servers, the cybersecurity firm found roughly 80,000 still vulnerable to exploitation.
Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable endpoints.
Weak passwords are also a problem
Apart from the command injection vulnerability, there’s also the issue of weak passwords that users set for convenience or that come with the device by default and aren’t reset during the first set up.
Bleeping Computer has spotted multiple offerings of lists, some even free, containing credentials for Hikvision camera live video feeds on clearnet hacking forums.
Hikvision cameras are exposed online
