Attackers could exploit a zero-click vulnerability in a popular IoT security camera to obtain unauthenticated access and possibly to your internal network, a researcher has warned.
The researcher dubbed ‘Watchful IP’ has made public details of the unauthenticated remote code execution (RCE) vulnerability in certain products from Hikvision, which is a Chinese manufacturer and world’s biggest network camera brand.
In a blog post, the researcher outlined the details of how the security vulnerability, tracked under CVE-2021-36260, could allow a malicious actor to take complete control of an internet-connected camera and potentially your internal networks.
The vulnerability which has been given a score of 9.8 on the CVSS scale of severity enables the attacker to gain “far more access than even the owner of the device has as they are restricted to a limited ‘protected shell’ (psh) which filters input to a predefined set of limited, mostly informational commands”, Watchful IP explained.
Hikvision has approved the researcher’s findings and has released a patch for the issue. The company has also released a security advisory with details on which products are at risk.
If you believe you have any of these devices and need assistance in patching this vulnerability, please reach out to us on 07 4401 5760.
Read original story here https://portswigger.net/daily-swig/zero-click-rce-vulnerability-in-hikvision-security-cameras-could-lead-to-network-compromise