Critical security vulnerability affects thousands of Hikvision cameras in South Africa
CYFIRMA security researchers have discovered thousands of Hikvision cameras used in over 100 countries worldwide that are vulnerable to a critical command injection security flaw.
The flaw is tracked as CVE-2021-36260 and has a critical Common Vulnerability Scoring System rating of 9.8.
Hikvision patched the vulnerability in a September 2021 firmware update, Bleeping Computer reported.
However, after analysing a sample of 285,000 cameras across more than 100 countries, approximately 80,000 are still vulnerable to exploitation.
China has the highest number of vulnerable systems at 12,690, while the US has 10,611. South Africa sits at 2,465 exploitable cameras.
Attackers can exploit CVE-2021-36260 to perform a command injection attack by sending malicious instructions to a vulnerable Hikvision web server with insufficient input validation.
CYFIRMA has observed various accounts of hackers looking to collaborate on exploiting the vulnerability.
The research team said they suspect that Chinese threat groups like MISSION2025/APT41, APT10 and its affiliates and unknown Russian threat actor groups could potentially exploit the vulnerabilities.
“Cyber criminals and state-sponsored hacker groups could very easily collaborate using this avenue as an opportunity for mutual gains and to further their interests,” CYFIRMA said.
The research team said cybercriminals from countries that may not have a cordial relationship with other nations could use the vulnerable cameras to launch geopolitically motivated cyber warfare.
“Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale.”
Bleeping Computer reported that besides the CVE-2021-36260 vulnerability, weak passwords are also a significant risk factor.
The cybersecurity publication reported spotting multiple offerings of lists with credentials for Hikvision camera live video feeds in hacking forums on the open Internet.
Hikvision camera operators are therefore advised to update to the latest firmware, use strong passwords, and enable a firewall.