Video surveillance giant Hikvision has published a security advisory on its website today warning customers of a cyber vulnerability that could affect millions of cameras and NVRs deployed around the world.
The “command injection flaw” that could give threat actors full control of an infected device (CVE-2021-36260) was discovered in June by cybersecurity researcher Watchful IP and first reported by IPVM last Monday.
According to the security bulletin, the vulnerability received a score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), which Watchful IP calls “the highest-level critical vulnerability.”
While the video surveillance giant did not reveal how many products may be affected, only revealing product names and firmware versions, IPVM estimates that more than 100 million devices may be affected.
In a letter to partners, Hikvision notified integrators to download an updated version of the firmware on its website to fix the vulnerability.
It also said: “We recognize that many of our partners may have installed Hikvision devices affected by this vulnerability and we strongly recommend that you work with your customers to ensure proper network hygiene and install updated firmware. “
Hikvision also said it worked with Watchful IP to patch the vulnerability. Additionally, the company patched all vulnerabilities reported to the company in its latest firmware version.
“Hikvision is a CVE Numbering Authority (CNA) and is committed to continuing to work with third-party white hat hackers and security researchers to promptly find, patch, disclose and release product updates commensurate with our CVEs for vulnerabilities at CNA partner companies management team,” the letter added.
“Hikvision strictly abides by applicable laws and regulations in all countries and regions in which we operate, and we strive to ensure that the safety of our products goes beyond regulations.”