Cyber Resilience

CVE-2021-36260

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 22 September 2021

Published
22 September 2021
Modified
10 November 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-36260 is a critical-severity OS Command Injection (CWE-78) vulnerability in Hikvision Ds-2Cd2121G1-Idw Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability tracked as CVE-2021-36260 affects the web server component in certain Hikvision products. The flaw stems from insufficient input validation (CWE-78) that allows specially crafted messages containing malicious commands to be processed, resulting in a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access can send crafted HTTP requests to the web server and execute arbitrary operating-system commands. Successful exploitation grants full confidentiality, integrity, and availability impact, enabling remote code execution without user interaction or credentials.

The official Hikvision security advisory lists affected firmware versions and provides remediation guidance, while public exploit code on Packet Storm and reports of widespread in-the-wild exploitation confirm active targeting of exposed devices.

EU & UK References

Vulnerability details

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hikvision
ds-2cd2026g2-iu\/sl firmware
all versions
hikvision
ds-2cd2046g2-iu\/sl firmware
all versions
hikvision
ds-2cd2066g2-i\(u\) firmware
all versions
hikvision
ds-2cd2066g2-iu\/sl firmware
all versions
hikvision
ds-2cd2086g2-i\(u\) firmware
all versions
hikvision
ds-2cd2086g2-iu\/sl firmware
all versions
hikvision
ds-2cd2166g2-i\(su\) firmware
all versions
hikvision
ds-2cd2186g2-i\(su\) firmware
all versions
hikvision
ds-2cd2186g2-isu firmware
all versions
hikvision
ds-2cd2326g2-isu\/sl firmware
all versions
+246 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the web server, blocking the malicious command strings that trigger the CWE-78 injection.

prevent

Mandates timely application of Hikvision firmware patches that eliminate the vulnerable web-server code paths.

prevent

Enforces least functionality on the device, disabling or restricting the web server’s ability to invoke OS commands.

References