Hikvision issued a patch Monday to fix what it terms as a “critical” vulnerability in some of its hybrid SAN/cluster storage products.
Hikvision rated the vulnerability as a 9.1, or “critical,” using the CVSS v3.1 calculator. The vulnerability allowed attackers to potentially obtain administrative permissions and gain network access to the device, the company says.
Hikvision is not aware of the vulnerability being exploited, but some of the affected equipment was installed in the field by contractors.
“We strongly encourage them to work with their customers to install the patch and ensure proper cyber hygiene,” Hikvision says.
The company says it learned of the potential vulnerability from by Souvik Kandar and Arko Dhar from its Redinent Innovations team in India, which reported it to the Hikvision Security Response Center.
Once the Center confirmed the vulnerability it worked with the National Computer Emergency Response Team of India to develop patches and verify the problem was mitigated.
A list of affected products and versions can be found here.
Monday’s news will likely not be helpful to Hikvision as it fights a ban by the Federal Communications Commission and is dealing with major scrutiny in other countries over security concerns.
Hikvision USA recently sued the FCC and U.S. government, seeking to overturn the FCC’s security ban on the Chinese company’s future equipment authorizations.
Hikvision says in a statement that it is “committed to continuing to work with third-party security researchers to find, patch, disclose and release updates to products in a timely manner that best protects the users of Hikvision products.”
