Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover

In September 2021 we told you about insecure Hikvision security cameras that were ready to be taken over remotely.

However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update, and are therefore vulnerable to exploitation.

The vulnerability

According to the researcher that reported it last year, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner, and the attack is not detectable by any logging on the camera itself. A cybercriminal could exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

The patch

The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. The critical bug received a 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact that it gives the attacker to gain even more access than the owner of the device has, since the owner is restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

The abuse

One possible exploit of this vulnerability was published by packet storm in October 2021.

In December 2021, BleepingComputer reported that a Mirai-based botnet called Moobot was spreading aggressively via exploiting this vulnerability in the webserver of many Hikvision products.

A Metasploit module based on the vulnerability was published by packet storm in February of 2022.

The Cybersecurity & Infrastructure Security Agency (CISA) added the vulnerability to its list of known exploited vulnerabilities that should be patched by January 24, 2022.

Unpatched

Given the amount of available information, it is trivial even for a “copy and paste criminal,” to make use of the unpatched cameras.

Of an analyzed sample of 285,000 internet-facing Hikvision web servers, CYFIRMA found roughly 80,000 of them were still vulnerable to exploitation. Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable cameras.

Mitigation

If you are in doubt whether you are using a vulnerable product, there is a list of the vulnerable firmware versions in the researchers’ post. Hikvision says you should download the latest firmware for your device from the global firmware portal.

In general it is not a good idea to make your cameras accessible from the internet and if you do, put them behind a VPN.