Search
On this page ▾
CVE-2017-7921 — Hikvision Multiple Products Improper Authentication Vulnerability

CVE-2017-7921

Hikvision IP Cameras and DVRs — Unauthenticated Backdoor Access and Privilege Escalation via Authentication Bypass; CRITICAL 9.8; Added KEV March 2026
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Are Hikvision IP Cameras?

Hikvision is the world's largest manufacturer of IP surveillance cameras and video management systems, with hundreds of millions of devices deployed globally in critical infrastructure, government facilities, transportation hubs, schools, healthcare, and commercial environments. Hikvision cameras are operated by embedded Linux firmware and expose web management interfaces for configuration and live video access. Because surveillance cameras have physical visibility into facilities and operations, compromising a Hikvision camera provides visual intelligence — and compromised cameras have been incorporated into botnets and used as proxy infrastructure. Hikvision's market dominance means security vulnerabilities affect devices in the most sensitive locations worldwide.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 5, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-7921 is a critical authentication bypass vulnerability affecting multiple Hikvision IP cameras, DVRs, and NVRs. The vulnerability allows an unauthenticated remote attacker to gain access to camera management functionality, view live video streams, access credentials, and escalate to administrative privileges via crafted HTTP requests. Hikvision released firmware updates in 2017; however, the prevalence of unpatched Hikvision devices and the sensitive locations they monitor caused CISA to add CVE-2017-7921 to the KEV catalog in March 2026 — nearly nine years after the patch — reflecting ongoing active exploitation.

Affected Versions

Multiple Hikvision product lines including IP cameras (DS-2CD series), DVRs, and NVRs — refer to Hikvision's security notice for the specific affected model and firmware version list. Devices must be upgraded to the firmware version specified in the advisory.

Technical Details

Root Cause: Improper Authentication in Camera Web Interface

CVE-2017-7921 is an improper authentication vulnerability (CWE-287) in Hikvision's embedded web management server. The camera management interface exposes HTTP endpoints for configuration, control, and video streaming. Certain endpoints can be accessed or manipulated through crafted HTTP requests that bypass authentication — allowing attackers to:

  • Access live video streams from the camera without credentials
  • Download camera configuration data including stored credentials
  • Modify camera settings including disabling recording or altering motion detection
  • Escalate privileges to administrator access
  • Access RTSP video streams using obtained credentials

ONVIF and ISAPI abuse: Hikvision cameras support ONVIF (Open Network Video Interface Forum) and Hikvision ISAPI protocols. The authentication bypass affects these management interfaces, enabling unauthenticated access to device functions normally restricted to authenticated administrators.

Attack Characteristics

Attribute Detail
Attack Vector Network — HTTP to camera web management port (80, 443, 8000)
Authentication None required for bypass
Impact Credential theft, video stream access, device configuration change
Deployed in Critical infrastructure, government, healthcare, transportation

Discovery

Disclosed in 2017; Hikvision released firmware updates. The extremely late KEV addition (March 2026) reflects continued mass exploitation of the enormous installed base of unpatched Hikvision devices — many of which are in sensitive physical locations.

Exploitation Context

  • Mass IoT botnet recruitment: Hikvision cameras are prime IoT botnet targets due to their internet exposure and Linux-based firmware; CVE-2017-7921 provides unauthenticated access enabling automated exploitation for botnet recruitment (Mirai variants)
  • Nation-state physical surveillance: Compromised Hikvision cameras in government and critical infrastructure facilities provide physical surveillance intelligence to threat actors — a capability particularly valued for reconnaissance and counterintelligence operations
  • Volt Typhoon and other APTs: Chinese and other nation-state actors have used compromised SOHO and IoT devices including cameras as proxy infrastructure to route attack traffic and obscure attribution; Hikvision's Chinese manufacturer origin has raised additional supply chain security concerns with US government
  • Shodan exposure: Millions of Hikvision devices are directly accessible from the internet; Shodan queries reveal cameras with web interfaces accessible on default ports
  • CISA KEV (2026): Added March 5, 2026 despite a 2017 patch date, reflecting 9 years of continued active exploitation across the massive Hikvision installed base

Remediation

CISA BOD 22-01 Deadline: March 26, 2026. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply Hikvision firmware updates — identify affected Hikvision models and apply the firmware update specified in Hikvision's security notice; firmware updates are available through Hikvision's support portal by model number.

  2. Remove internet exposure immediately — Hikvision camera management interfaces (HTTP port 80/443/8000) must not be directly accessible from the internet; place all cameras behind a network firewall with no internet-facing ports; use a VPN for remote management access.

  3. Change default credentials — all Hikvision devices must have their default admin password changed; many breached cameras were using factory default credentials (admin/12345 or similar).

  4. Segment camera network — place IP cameras on a dedicated IoT/camera VLAN with strict outbound traffic controls; block camera-to-internet direct communication to prevent botnet C2 traffic.

  5. Replace end-of-life camera hardware — if a camera model no longer receives firmware updates, replace it with currently supported hardware; Hikvision and other vendors sell current models with patched firmware.

  6. Consider Hikvision replacement in sensitive environments — US government entities should evaluate the US government restrictions on Hikvision equipment (Section 889 of NDAA 2019) and ensure compliance when replacing or procuring surveillance hardware.

Key Details

PropertyValue
CVE ID CVE-2017-7921
Vendor / Product Hikvision — Multiple Products
NVD Published2017-05-06
NVD Last Modified2026-03-05
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-287 — Improper Authentication find similar ↗
CISA KEV Added2026-03-05
CISA KEV Deadline2026-03-26
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-03-26. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2017-05-06CVE-2017-7921 published; Hikvision releases firmware updates for affected camera and DVR models
2026-03-05Added to CISA Known Exploited Vulnerabilities catalog following confirmed active exploitation
2026-03-26CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-7921 Vulnerability Database
CISA KEV Catalog Entry US Government
Hikvision Security Notice — Privilege Escalation Vulnerability Vendor Advisory

Last updated: 2026-05-25

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML