Hikvision Intercom Broadcasting System ping.php os command injection
CVE-2023-6895

6.3MEDIUM

Key Information:

Vendor

Hikvision

Status
Intercom Broadcasting System
Vendor
CVE Published:
17 December 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%

What is CVE-2023-6895?

A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.

Affected Version(s)

Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK)

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-6895
Created by FuBoLuSec

References

https://vuldb.com/?id.248254
vdb-entrytechnical-description
https://vuldb.com/?ctiid.248254
signaturepermissions-required
https://github.com/willchen0011/cve/blob/main/rce.md
exploit

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

willchen
willchen (VulDB User)
.