Session Hijacking Vulnerability in Hikvision Access Control Products
CVE-2023-28809

7.5HIGH

Key Information:

Vendor: Hikvision
Status: Ds-k1t804axx; Ds-k1t341axx; Ds-k1t671xxx; Ds-k1t343xxx
Vendor: CVE Published:; 15 June 2023

What is CVE-2023-28809?

Certain Hikvision access control products are exposed to a session hijacking vulnerability that occurs due to the failure to update the session ID upon successful user authentication. This flaw allows attackers to capture a session ID during the login process, enabling them to impersonate legitimate users. By tricking the system with a spoofed IP address and session ID, adversaries can gain unauthorized access, potentially compromising sensitive device functions and overall system security.

Affected Version(s)

DS-K1T320XXX V3.5.0_build220706

DS-K1T341AXX V3.2.30_build221223

DS-K1T341C V3.3.8_build230112

References

https://www.hikvision.com/en/support/cybersecurity/securi...

http://packetstormsecurity.com/files/174506/Hikvision-Acc...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2023
Vulnerability Reserved
Mar 23, 2023

Credit

Andres Hinnosaar