Hikvision IP Cameras: Unauthenticated Command Injection (CVE-2021-36260) Actively Exploited

Summary

A command injection flaw in the web server of a broad swath of Hikvision IP cameras lets a remote, unauthenticated attacker send a crafted request and execute commands with full control of the device, no credentials required. The bug carries a near-maximum CVSS of 9.8 and has been weaponized at scale, which is why CISA placed it in the Known Exploited Vulnerabilities catalog and botnet operators continue to scan for it years after disclosure. A compromised camera becomes a live foothold on the network and a tool for surveillance manipulation.

Affected products

Impact

Pre-authentication remote code execution (CVSS 3.1 base 9.8, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) gives an attacker complete control of the camera: live and recorded video access, use of the device in DDoS botnets, and lateral movement into adjacent VLANs. CISA confirmed active exploitation in the wild, making any exposed unpatched unit a standing incident risk.

Remediation

Hikvision released fixed firmware, and the short-term technical step is to update every affected camera and pull management interfaces off the public internet behind segmentation. For Section 889-covered environments, though, firmware updates do not make the device permissible, and given confirmed in-the-wild exploitation the only defensible posture is removal. Uniqcli Security runs structured rip-and-replace engagements, identifying banned cameras (including OEM-rebadged Hikvision units), replacing them with NDAA-compliant Axis, Hanwha, i-PRO, or Bosch cameras, and delivering a compliance attestation for your records.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2021-36260
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.hikvision.com/en/support/cybersecurity/security-advisory/