Hikvision IP Cameras suffers from multiple access bypass vulnerabilities.
cabfbe910089852487e71438083c32d73028cf30f8bde18c0de76568a7647b30
Hikvision IP Camera has a backdoor where a magic string allows instant access regardless of authentication.
5f6dfb93637a2bf560169ca8d350af523d2b8bf97671349af8d90046510d15a5
This Metasploit module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.
7bd3dd72f17285cba701691f5d8795c84e79f211db3e6ea8a840141f658935a5
Hikvision IP Camera versions 5.2.0 through 5.3.9 (builds 140721 up until 170109) suffer from an access control bypass vulnerability.
7af92b119967a688ba007849fccd93f43c5fcb2a0a609765db006f3999450a9f
Core Security Technologies Advisory - Hikvision IP Cameras suffer from buffer overflow, authentication bypass, hard-coded credential, and privilege escalation vulnerabilities.
a4a4535ab067aafda1e020840c583034d91d05f5ea87d44f5643945fba43b443