CVE-2021-36260

What are Hikvision IP Cameras?

Hikvision is the world's largest manufacturer of video surveillance equipment, with cameras and NVRs deployed in hundreds of millions of locations globally — including critical infrastructure, government facilities, enterprises, and homes. Hikvision cameras run embedded Linux firmware with a web server providing remote management and RTSP video streaming. Their ubiquity and internet accessibility make them high-value targets for botnet operators who seek to recruit large numbers of IoT devices. The Chinese government has a significant ownership stake in Hikvision, which has driven regulatory scrutiny in multiple countries.

Overview

CVE-2021-36260 is an OS command injection vulnerability (CWE-78) in the web server of multiple Hikvision camera products. Due to insufficient input validation of user-supplied data in certain web interface handlers, an unauthenticated remote attacker can send a specially crafted HTTP request to execute arbitrary OS commands with root privileges on the camera. Hikvision patched this in September 2021; CISA added it to KEV in January 2022. Multiple IoT botnets have incorporated this vulnerability for mass camera recruitment.

Affected Versions

Technical Details

The vulnerability is in the web server (built on a lightweight HTTP server common in embedded Linux systems) of affected Hikvision products. A specific endpoint in the web interface accepts parameters that are passed to system command execution without proper sanitization:

• Root cause: OS command injection (CWE-78) — user-controlled HTTP request parameters are passed to OS command execution without shell metacharacter sanitization
• Authentication required: None — the vulnerable endpoint is accessible without authentication
• Execution context: Commands execute as root on the camera's embedded Linux OS
• Attack simplicity: The exploit is a simple HTTP GET or POST request to a specific URI path — no complex authentication bypass or chaining required
• Discovered by: Watchful IP security researcher, who published a detailed advisory after coordinated disclosure

Discovery

Discovered by a researcher operating under the handle "Watchful IP" who specializes in IoT device security research. Coordinated disclosure to Hikvision preceded the advisory and patch release.

Exploitation Context

Multiple IoT botnets rapidly incorporated CVE-2021-36260 after public disclosure. Mirai variants and other botnets scan the internet for exposed Hikvision camera web interfaces and exploit this vulnerability to recruit cameras as botnet nodes for DDoS attacks. Hundreds of thousands of Hikvision cameras are internet-accessible. Separately, nation-state actors have shown interest in compromising surveillance infrastructure, and Mirai-recruited Hikvision cameras have been observed in DDoS attacks against critical targets.

Remediation

1. Update Hikvision camera and NVR firmware to the patched version per the Hikvision security advisory
2. If firmware update is not possible, disable internet access to the camera's web server (port 80/443) — cameras should not be directly internet-accessible
3. Place cameras behind a VPN or video surveillance management system (VMS) that provides authenticated access
4. Change default camera credentials (many cameras are exploited with default admin passwords as well)
5. Segment camera network from corporate IT networks using VLANs and firewall rules
6. Check cameras for signs of compromise: unexpected network connections, firmware integrity check failures, or unusual CPU usage