Hikvision NVRs: Authenticated Command Injection Allows Arbitrary Command Execution

Summary

Multiple Hikvision network video recorder families contain a command injection flaw in which an account with administrative rights can break out of the intended interface and run arbitrary operating-system commands on the recorder. On a device that records and stores surveillance footage, that means an attacker who obtains or guesses admin access can pivot to full control of the appliance, tamper with evidence, and use the NVR as a beachhead into the rest of the network. The flaw spans a wide range of NI- and NXI-series recorders on firmware 5.02.005 and earlier.

Affected products

Impact

A user with administrative privileges can execute arbitrary commands on the underlying system (CVSS 3.1 base 7.2, vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), yielding code execution, footage manipulation, persistence, and lateral movement. Because surveillance recorders are frequently deployed with default or shared credentials and exposed management interfaces, the practical attack surface is larger than the high-privilege requirement implies.

Remediation

Update affected recorders to firmware V5.02.006 or later (or the latest available build for the K-series model) and immediately remove default and shared administrator credentials. However, Hikvision is a Section 889 covered entity, so for US federal, DoD, and federally funded SLED and critical-infrastructure environments the correct remediation is removal, not patching. Uniqcli Security performs compliant rip-and-replace programs, swapping banned NVRs and cameras for TAA-compliant Axis, i-PRO, Hanwha, or Bosch recording infrastructure on Milestone or Genetec, with documentation for your audit file.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2024-29949
• https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-nvr-devices/
• https://github.com/advisories/GHSA-x752-fh3c-ch6r