Cyber Resilience

CVE-2023-28815

Critical

Published: 17 October 2025

Published
17 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 50.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28815 is a critical-severity Improper Neutralization of Parameter/Argument Delimiters (CWE-141) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-28815 is a command injection vulnerability stemming from insufficient parameter validation in some versions of Hikvision's iSecure Center product. iSecure Center is software released exclusively for China's domestic market, with no overseas release. The issue is mapped to CWE-141 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables attackers to gain platform privileges and execute arbitrary commands on the affected system, potentially leading to full compromise.

Hikvision has issued a security notice on this vulnerability, available at https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-04/.

EU & UK References

Vulnerability details

Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market…

more

only, with no overseas release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE enables unauthenticated remote command injection (T1190: Exploit Public-Facing Application) in a network-accessible service, directly facilitating arbitrary command execution (T1059: Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Some
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses insufficient parameter validation by enforcing input validation mechanisms to prevent command injection exploitation.

prevent

Enables timely flaw remediation through patching the specific command injection vulnerability as noted in Hikvision's security notice.

prevent

Enforces least privilege to restrict the scope of arbitrary commands executed upon successful injection, limiting privilege escalation.

References