Hikvision NVRs Vulnerable to Command Injection Attacks
CVE-2024-29949

7.2HIGH

Key Information:

Vendor: Hikvision
Status: Ds-7604ni-k1 / 4p(b); Ds-76xxni-mx; Ds-77xxni-mx; Ds-96xxxni-mxx
Vendor: CVE Published:; 2 April 2024

What is CVE-2024-29949?

A command injection vulnerability exists in certain Hikvision Network Video Recorders (NVRs), which can be exploited by authenticated users who possess administrative access. This flaw enables these users to inject and execute arbitrary commands within the device's operating environment, potentially leading to unauthorized access and manipulation of surveillance data. This vulnerability emphasizes the importance of robust security measures in device management and the need for timely updates and patches.

Affected Version(s)

DS-7604NI-K1 / 4P(B) V4.30.096build221220 and the versions prior to it

DS-7604NI-M1/4P Versions after V5.00.000 (including V5.00.000) and before V5.01.070（not including V5.01.070）

DS-76xxNI-Mx Versions after V5.00.000 (including V5.00.000) and before V5.02.006（not including V5.02.006）

References

https://www.hikvision.com/en/support/cybersecurity/securi...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2024

Credit

KITRI BoB 12th