November 17, 2023 -- Today, Hikvision has issued a patch, available on its website, to fix a vulnerability (CVE-2023-28811) in Hikvision NVRs/DVRs.
Hikvision has rated this vulnerability as 7.4 using the CVSS v3.1 calculator. The list of products affected by the vulnerability can be accessed on its website. While Hikvision is not aware of this vulnerability being exploited in the field, it recognizes that some of its partners may have installed Hikvision equipment that is impacted by it. Hikvision encourages them to work with their customers to install the patch and ensure proper cyber hygiene.
With this vulnerability, Hikvision wants to provide you the details and timeline to reassure you of its strong commitment to cybersecurity by following the standard Coordinated Disclosure Process. In August 2023, the potential vulnerability in Hikvision products was reported to the Hikvision Security Response Center (HSRC) by Sergio Ruiz of the IOActive team. Once the HSRC confirmed the existence of the vulnerability, it worked with the researcher to develop the patch and verify the successful mitigation of the reported vulnerability.
To date, vulnerabilities that have been reported to Hikvision have been patched in the latest Hikvision firmware, which is readily available on the Hikvision website.
Hikvision is a CVE Partner and is committed to continuing to work with third-party security researchers to find, patch, disclose and release updates to products in a timely manner that best protects the users of Hikvision products. To report any security issues or vulnerabilities in Hikvision products and solutions, please contact the Hikvision Security Response Center at [email protected].