Hikvision Camera Vulnerability Actively Exploited, CISA Warns Agencies to Patch Immediately
4 min. read 
Published on
A critical vulnerability affecting multiple Hikvision surveillance products is drawing fresh security attention after it was added to the U.S. government’s Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2017-7921, allows attackers to bypass authentication controls and gain administrative access to affected devices.
Security experts warn that organizations running unpatched Hikvision cameras or network video recorders could expose sensitive surveillance feeds and network data to attackers. The vulnerability carries a critical severity rating and can be exploited remotely without credentials, which makes it particularly dangerous for internet-connected devices.
The issue stems from improper authentication logic inside the firmware of certain Hikvision cameras, allowing a remote attacker to impersonate authorized users or elevate privileges. Once exploited, attackers may access configuration files, change credentials, or retrieve stored surveillance data from the device.
Cybersecurity agencies warn that many affected cameras remain exposed online because organizations continue using outdated firmware or legacy devices that never received patches.
Why the Hikvision vulnerability is serious
Security researchers say the flaw sits inside the authentication process used by the device’s management interface. When attackers send specially crafted requests to the camera’s web interface, the system fails to properly verify the user’s identity.
This allows attackers to operate the device as if they had administrator privileges.
Possible consequences include:
- Accessing live surveillance video streams
- Downloading stored camera recordings
- Extracting device configuration files
- Resetting user passwords or creating new accounts
- Using the compromised device as a foothold inside corporate networks
Researchers have observed attackers scanning the internet for vulnerable cameras and digital video recorders that still run outdated firmware.
In large organizations, surveillance cameras often connect to internal networks. If attackers compromise those devices, they may move laterally toward more sensitive systems.
Key technical details of CVE-2017-7921
| Category | Details |
|---|---|
| Vulnerability ID | CVE-2017-7921 |
| Type | Improper authentication (CWE-287) |
| Severity | Critical |
| CVSS Score | Up to 10.0 |
| Attack Requirements | Remote, no credentials required |
| Impact | Privilege escalation and unauthorized access |
Improper authentication occurs when a system does not correctly verify a user’s identity before granting access to restricted functions. This flaw can allow attackers to escalate privileges and obtain sensitive information.
Products potentially affected
The vulnerability originally affected several Hikvision IP camera series and related surveillance products running specific firmware versions.
Devices that may be exposed include:
- Hikvision IP cameras
- Network Video Recorders (NVRs)
- OEM cameras based on Hikvision firmware
- Rebranded surveillance products using Hikvision hardware
Some devices sold under other brand names may also be vulnerable because they use the same firmware base.
Why IoT devices are frequent targets
Internet-connected cameras belong to a broader category known as Internet of Things (IoT) devices. These devices often receive fewer updates than traditional software systems.
Attackers frequently target them because:
- Devices run outdated firmware
- Default passwords remain unchanged
- Security monitoring tools rarely inspect IoT traffic
- Many devices remain exposed directly to the internet
Security researchers have observed malware campaigns scanning for vulnerable cameras, including those affected by CVE-2017-7921, to build botnets or gather intelligence.
Recommended mitigation steps
Security agencies and vendors recommend immediate action to prevent exploitation.
Organizations should take the following steps:
- Identify all Hikvision devices connected to the network
- Check firmware versions against vendor security advisories
- Apply the latest available firmware updates
- Restrict remote access to surveillance devices
- Place cameras on isolated network segments
- Disable unnecessary services such as remote administration
If devices cannot receive updates due to hardware limitations, organizations should remove them from production networks or replace them with supported models.
Quick checklist for administrators
- Inventory all surveillance devices on the network
- Update firmware immediately if patches exist
- Change all default credentials
- Disable direct internet exposure
- Monitor network logs for unusual camera activity
FAQ
CVE-2017-7921 is a critical authentication bypass vulnerability affecting certain Hikvision surveillance devices. It allows attackers to access the device without valid credentials.
Attackers can access surveillance feeds, retrieve recordings, extract configuration files, and modify system settings.
Yes. Many devices remain vulnerable because organizations continue using outdated firmware or unsupported hardware.
Administrators should apply firmware updates from Hikvision, isolate surveillance devices from critical networks, and remove unsupported hardware.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages