{"id":5455,"date":"2025-09-17T20:20:25","date_gmt":"2025-09-17T20:20:25","guid":{"rendered":"https:\/\/lockitsoft.com\/?p=5455"},"modified":"2025-09-17T20:20:25","modified_gmt":"2025-09-17T20:20:25","slug":"tens-of-thousands-of-hikvision-cameras-remain-unpatched-against-critical-11-month-old-vulnerability-exposing-organizations-worldwide","status":"publish","type":"post","link":"https:\/\/lockitsoft.com\/?p=5455","title":{"rendered":"Tens of Thousands of Hikvision Cameras Remain Unpatched Against Critical 11-Month-Old Vulnerability, Exposing Organizations Worldwide"},"content":{"rendered":"<p>A significant cybersecurity threat continues to loom over numerous organizations globally, as an alarming number of Hikvision surveillance cameras remain vulnerable to a critical command injection flaw that has been publicly known for nearly a year. New research indicates that over 80,000 of these devices are still susceptible to exploitation, leaving a vast attack surface open for malicious actors. This persistent vulnerability, tracked as CVE-2021-36260, carries a severe CVSS score of 9.8 out of 10, underscoring its critical nature and the potential for widespread compromise.<\/p>\n<p>Hikvision, formally known as Hangzhou Hikvision Digital Technology, is a prominent Chinese state-owned manufacturer of video surveillance equipment. Its products are deployed in over 100 countries, including significant installations within the United States. This widespread adoption, coupled with the unpatched vulnerability, raises serious concerns about the security posture of critical infrastructure, businesses, and public spaces reliant on Hikvision&#8217;s extensive camera network. The U.S. Federal Communications Commission (FCC) previously identified Hikvision as an &quot;unacceptable risk to U.S. national security&quot; in 2019, adding another layer of geopolitical and security apprehension to the current situation.<\/p>\n<p>The command injection flaw, first disclosed to the public last Fall, allows attackers to execute arbitrary commands on the affected Hikvision devices. This capability can lead to a complete takeover of the camera, enabling attackers to surveil sensitive areas, manipulate footage, or use the compromised device as a pivot point to access other systems within a network. The fact that more than 80,000 devices remain unpatched, despite the severity of the vulnerability and the passage of almost a year, suggests a critical gap in patch management practices across a significant portion of Hikvision&#8217;s user base.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/lockitsoft.com\/?p=5455\/#A_Persistent_Threat_Timeline_and_Discovery\" >A Persistent Threat: Timeline and Discovery<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/lockitsoft.com\/?p=5455\/#The_IoT_Security_Conundrum_Beyond_Simple_Negligence\" >The IoT Security Conundrum: Beyond Simple Negligence<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/lockitsoft.com\/?p=5455\/#The_Role_of_Default_Credentials_and_Discovery_Tools\" >The Role of Default Credentials and Discovery Tools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/lockitsoft.com\/?p=5455\/#Broader_Implications_and_the_Path_Forward\" >Broader Implications and the Path Forward<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"A_Persistent_Threat_Timeline_and_Discovery\"><\/span>A Persistent Threat: Timeline and Discovery<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The vulnerability, officially designated as CVE-2021-36260, was initially brought to light in the latter half of 2021. Security researchers and vendors began issuing warnings and recommendations for patching soon after its public disclosure. However, the recent research highlights a disturbing lack of remediation efforts. The researchers have also uncovered evidence of active exploitation attempts, noting &quot;multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability.&quot; These discussions and collaborations have been observed on Russian dark web forums, where leaked credentials for compromised Hikvision devices are also reportedly being offered for sale.<\/p>\n<p>The implications of such a widespread, unpatched vulnerability are multifaceted. The full extent of damage already inflicted is difficult to ascertain, as compromised devices may be used for clandestine surveillance or as part of larger botnets without immediate detection. The authors of the report have speculated that state-sponsored threat groups, including Chinese entities such as MISSION2025\/APT41, APT10 and their affiliates, as well as unknown Russian threat actor groups, could leverage these vulnerabilities. Their motives could range from intelligence gathering to geopolitical disruption, given the nature of surveillance equipment.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_IoT_Security_Conundrum_Beyond_Simple_Negligence\"><\/span>The IoT Security Conundrum: Beyond Simple Negligence<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>While the prolonged lack of patching might initially suggest user negligence, the issue of securing Internet of Things (IoT) devices, particularly surveillance cameras, is often more complex. David Maynor, senior director of threat intelligence at Cybrary, points to systemic issues within Hikvision&#8217;s product design and the broader IoT ecosystem. &quot;Their product contains easy to exploit systemic vulnerabilities or worse, uses default credentials,&quot; Maynor stated, highlighting a fundamental weakness in the devices themselves. He further elaborated on the challenges of remediation and verification: &quot;There is no good way to perform forensics or verify that an attacker has been excised. Furthermore, we have not observed any change in Hikvision\u2019s posture to signal an increase in security within their development cycle.&quot; This suggests that even with awareness, organizations might face significant hurdles in securing these devices.<\/p>\n<p>Paul Bischoff, a privacy advocate with Comparitech, echoed these sentiments, emphasizing the inherent difficulties in patching IoT devices compared to more conventional computing systems. &quot;IoT devices like cameras aren\u2019t always as easy or straightforward to secure as an app on your phone,&quot; Bischoff explained in a statement. &quot;Updates are not automatic; users need to manually download and install them, and many users might never get the message.&quot; He further noted the lack of user feedback mechanisms on IoT devices: &quot;Furthermore, IoT devices might not give users any indication that they\u2019re unsecured or out of date. Whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences.&quot; This disparity in user experience and update mechanisms creates a fertile ground for vulnerabilities to persist unnoticed.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_Role_of_Default_Credentials_and_Discovery_Tools\"><\/span>The Role of Default Credentials and Discovery Tools<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A significant compounding factor, as identified by Bischoff, is the widespread use of default credentials. Hikvision cameras, like many other IoT devices, often ship with a limited set of predetermined default passwords. Many users, either due to a lack of awareness or convenience, fail to change these passwords from the factory settings. This practice creates an easily exploitable entry point for attackers.<\/p>\n<p>Cybercriminals actively scan the internet for vulnerable devices using specialized search engines like Shodan and Censys. These platforms allow threat actors to discover devices with open ports and identifiable vulnerabilities, including those running unpatched software or using default login credentials. The combination of weak default security, the complexity of manual patching for IoT devices, and a lack of user awareness creates a perfect storm, leaving tens of thousands of organizations unknowingly exposed.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Broader_Implications_and_the_Path_Forward\"><\/span>Broader Implications and the Path Forward<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The persistent vulnerability in Hikvision cameras has far-reaching implications. For businesses, a compromised camera system can lead to intellectual property theft, industrial espionage, or disruptions to operations. For government entities and critical infrastructure, the risk is amplified, potentially impacting national security and public safety. The ability of threat actors to gain persistent access to surveillance networks can facilitate reconnaissance for more significant attacks, compromise sensitive data, or even be used for targeted disinformation campaigns.<\/p>\n<p>The lack of timely patching also reflects a broader challenge within the cybersecurity landscape concerning the lifecycle management of IoT devices. Manufacturers have a responsibility to provide secure products and accessible update mechanisms, while users and organizations must prioritize security updates and robust password management practices.<\/p>\n<p>Hikvision, as a major global supplier, faces pressure to not only provide effective patches but also to improve the inherent security of its future product lines and to better support its existing customer base in the update process. The ongoing threat posed by CVE-2021-36260 serves as a stark reminder of the critical need for vigilance, proactive security measures, and a collaborative approach between manufacturers, users, and cybersecurity researchers to mitigate the risks associated with the ever-expanding world of connected devices. Until these issues are comprehensively addressed, the threat of exploitation will continue to loom large over the thousands of organizations reliant on Hikvision&#8217;s surveillance technology.<\/p>\n<!-- RatingBintangAjaib -->","protected":false},"excerpt":{"rendered":"<p>A significant cybersecurity threat continues to loom over numerous organizations globally, as an alarming number of Hikvision surveillance cameras remain vulnerable to a critical command injection flaw that has been publicly known for nearly a year. New research indicates that over 80,000 of these devices are still susceptible to exploitation, leaving a vast attack surface &hellip;<\/p>\n","protected":false},"author":8,"featured_media":5454,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108],"tags":[991,742,109,996,990,994,997,111,992,110,988,989,993,995,998],"class_list":["post-5455","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-protection","tag-cameras","tag-critical","tag-cybersecurity","tag-exposing","tag-hikvision","tag-month","tag-organizations","tag-privacy","tag-remain","tag-security","tag-tens","tag-thousands","tag-unpatched","tag-vulnerability","tag-worldwide"],"_links":{"self":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/5455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5455"}],"version-history":[{"count":0,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/5455\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/media\/5454"}],"wp:attachment":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}