Hikvision has released a new firmware update to address two recently discovered security vulnerabilities that could affect eight specific models of the video surveillance giant’s storage products.
According to a letter the company sent to its partners on Thursday that was also provided to SecurityInfoWatch.com (SIW), the vulnerabilities were initially discovered by an undisclosed security researcher in March and subsequently reported to the Hikvision Security Response Center (HSRC).
Specifically, the vulnerabilities – CVE2022-28171 and CVE-2022-28172 – which were rated with Common Vulnerability Scoring System (CVSS) base scores of 7.5 and 6.5 respectively, pertain to the web module in some of the company’s hybrid SAN/cluster storage products and could have been exploited by hackers in one of two ways per the company’s letter:
- Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
- Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.
The affected products, along with the impacted software versions and fixes can be found in the chart below:
“To date, all vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware, which is readily available on the Hikvision website,” the company said in the letter. “Additionally, Hikvision is a CVE Partner and is committed to continuing to work with third-party ethical hackers and security researchers to find, patch, disclose and release updates to products in a manner that best protects the users of Hikvision products. Hikvision strictly complies with the laws and regulations in all countries and regions where we operate and we apply the highest standards of cybersecurity practices in an effort to best protect the users of Hikvision products around the world.”
Last year, cybersecurity researchers uncovered a “command injection vulnerability” affecting millions of Hikvision cameras and NVRs that would have enabled hackers to gain full control of the compromised devices had it been exploited. The company later issued a firmware update to address the issue.