CVE-2023-28815
Published: 17 October 2025
Summary
CVE-2023-28815 is a critical-severity Improper Neutralization of Parameter/Argument Delimiters (CWE-141) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-28815 is a command injection vulnerability stemming from insufficient parameter validation in some versions of Hikvision's iSecure Center product. iSecure Center is software released exclusively for China's domestic market, with no overseas release. The issue is mapped to CWE-141 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables attackers to gain platform privileges and execute arbitrary commands on the affected system, potentially leading to full compromise.
Hikvision has issued a security notice on this vulnerability, available at https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-04/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32450
Vulnerability details
Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market…
more
only, with no overseas release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote command injection (T1190: Exploit Public-Facing Application) in a network-accessible service, directly facilitating arbitrary command execution (T1059: Command and Scripting Interpreter).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses insufficient parameter validation by enforcing input validation mechanisms to prevent command injection exploitation.
Enables timely flaw remediation through patching the specific command injection vulnerability as noted in Hikvision's security notice.
Enforces least privilege to restrict the scope of arbitrary commands executed upon successful injection, limiting privilege escalation.