CVE-2023-6895
Published: 17 December 2023
Summary
CVE-2023-6895 is a medium-severity OS Command Injection (CWE-78) vulnerability in Hikvision Intercom Broadcast System. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability classified as OS command injection (CWE-78) exists in Hikvision Intercom Broadcasting System version 3.0.3_20201113_RELEASE(HIK). The flaw resides in the /php/ping.php endpoint, where the jsondata[ip] parameter is passed directly to operating-system commands without sanitization, allowing an attacker to supply payloads such as “netstat -ano”.
An unauthenticated attacker positioned on the same network segment can send a crafted request to the affected endpoint. Successful exploitation yields limited read, write, and disruption capabilities on the underlying host, consistent with the CVSS vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.
Vendor guidance states that upgrading the product to version 4.1.0 resolves the issue. Public references, including a detailed proof-of-concept on GitHub and entries in VulDB (VDB-248254), confirm the vulnerability has been disclosed and provide remediation steps. The associated EPSS score of 0.9324 indicates sustained exploitation interest since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59096
Vulnerability details
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command…
more
injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.