Video surveillance giant Hikvision on Sunday posted a security advisory on its website alerting customers of a cyber vulnerability that could potentially affect millions of cameras and NVRs deployed around the globe.
The “command injection vulnerability,” which would enable hackers to gain full control of the compromised devices, was discovered by cybersecurity researcher Watchful IP in June and was first reported on Monday by IPVM. Though Hikvision has not said how many products are potentially affected and has thus far only posted a list of product names and firmware versions, IPVM estimates that it could impact more than 100 million devices.
According to the advisory, the vulnerability received a base score of 9.8 out of 10 per the Common Vulnerability Scoring System (CVSS), which Watchful IP characterized as being “the highest level of critical vulnerability.”
In a letter sent to its partners, which has been obtained by SecurityInfoWatch.com, Hikvision directed integrators to download an updated version of firmware on its website to fix the issue.
“We recognize that many of our partners may have installed Hikvision equipment that is affected by this vulnerability, and we strongly encourage that you work with your customers to ensure proper cyber hygiene and install the updated firmware,” the letter reads.
Hikvision goes on to say in the letter that it worked with Watchful IP to patch the vulnerability and that all vulnerabilities reported to the company and/or made public have been patched in its latest firmware version.
“Hikvision is a CVE Numbering Authority (CNA) and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch, disclose and release updates to products in a timely manner that is commensurate with our CVE CNA partner companies' vulnerability management teams,” the letter continues. “Hikvision strictly complies with the applicable laws and regulations in all countries and regions where we operate and our efforts to ensure the security of our products go beyond what is mandated.”
A spokesperson for Hikvision declined to comment further on the matter.
For its part, Watchful IP said the vulnerability did not appear to be a backdoor into the products that was mandated by the Chinese government. “You wouldn’t do it like this. And not all firmware types are affected,” the researcher said in a post explaining the issue.
The full list of affected products can be found here.
The disclosure of this vulnerability is the latest in a string of noteworthy events to impact the Chinese surveillance manufacturer so far this year. In July, Hikvision terminated it’s Security Industry Association (SIA) membership citing conflicts with IPVM also being allowed to be a member of the organization. Just a month prior, the Federal Communications Commission (FCC) voted to adopt a rulemaking measure that could potentially ban all future authorizations of products manufactured by the company and could even revoke prior equipment authorizations.
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
