cbcvebase.
CVE-2013-4976
published 2019-12-27

CVE-2013-4976: Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.11%
98.3th percentile
Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials

Detection & IOCsextracted from sources · hover to see the quote

cookieuserInfo80=YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==
path/PSIA/System/ConfigurationData
path/doc/pages/main.asp
path/doc/pages/scripts/login.js
port554
commandPLAY rtsp://<host>/ RTSP/1.0 CSeq: 7 Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)
otherusername: anonymous / password: \177\177\177\177\177\177
  • Detect authentication bypass attempts by monitoring for HTTP requests containing the cookie name 'userInfo80' (or 'userInfoXX' for other ports) with the base64 value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==' corresponding to the hardcoded anonymous credentials.
  • Monitor HTTP GET requests to '/PSIA/System/ConfigurationData' from non-admin accounts as an indicator of CVE-2013-4975 credential-harvesting attempts.
  • Detect CVE-2013-4977 RTSP buffer overflow exploitation attempts by inspecting RTSP PLAY requests on TCP/554 for an oversized or pattern-filled 'Range: npt=' header value (e.g. containing cyclic pattern strings like 'Aa0Aa1Aa2...').
  • Monitor for HTTP requests to '/doc/pages/main.asp' without prior authenticated session establishment, which may indicate anonymous bypass exploitation.
  • Flag RTSP connections using the User-Agent string 'VLC media player (LIVE555 Streaming Media v2010.02.10)' combined with an anomalous Range header on TCP/554 as a potential exploit indicator.
  • ·The hardcoded anonymous credentials bypass works even when the anonymous user account has been explicitly disabled in the camera's configuration, making administrative disabling of the account insufficient as a mitigation.
  • ·The bypass cannot be triggered via the normal login form; it requires forging the 'userInfoXX' cookie directly, meaning standard login-page monitoring will not catch exploitation attempts.
  • ·CVE-2013-4977 RTSP buffer overflow requires no authentication, meaning network-level access to TCP/554 alone is sufficient for exploitation.
  • ·The vulnerable firmware v4.1.0 b130111 is shared across a large number of Hikvision camera models beyond the DS-2CD7153-E, so the attack surface is significantly broader than a single device.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.