CVE-2017-7921
published 2017-05-06CVE-2017-7921: An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-03-26
Exploited in the wild
EPSS
100.00%
100.0th percentile
An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
nuclei template id: CVE-2017-7921 — GET /system/deviceInfo?auth=YWRtaW46MTEK matched on body word '' and header 'application/xml'
- →Detect exploitation attempts by monitoring HTTP GET requests to /system/deviceInfo with the base64-encoded auth parameter 'YWRtaW46MTEK' (decodes to 'admin:1\n'), which bypasses authentication on vulnerable Hikvision cameras. ↗
- →Responses to the exploit request return Content-Type 'application/xml' and a body containing the XML tag '<DeviceInfo', which can be used as a detection match. ↗
- →HiatusRAT actors scan for this CVE on TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575; monitor for scanning activity against these ports on Hikvision/Xiongmai devices. ↗
- →Use the Shodan search query '"App-webs" "200 OK"' to identify internet-exposed vulnerable Hikvision devices susceptible to this authentication bypass. ↗
- ·The vulnerability affects a wide range of Hikvision firmware versions across multiple camera series; patching may not be possible on some devices because the vendor prevents firmware upgrades on certain affected models. ↗
- ·The vulnerability also affects white-labeled (OEM) camera products sold under brand names other than Hikvision, broadening the affected device population beyond Hikvision-branded hardware. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Hikvision Multiple Products Improper Authentication Vulnerability
cisa·2026-03-05·CVSS 9.8
CVE-2017-7921 [CRITICAL] CWE-287 Hikvision Multiple Products Improper Authentication Vulnerability
Vulnerability: Hikvision Multiple Products Improper Authentication Vulnerability
Affected: Hikvision Multiple Products
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-7921
Remediation Due Date: 2026-03-26
CISA ICS
Hikvision Cameras
cisa_ics·2017-05-04
Hikvision Cameras
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hikvision Cameras
Last RevisedMay 04, 2017
Alert CodeICSA-17-124-01
## CVSS v3 10.0
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: Hikvision
Equipment: Cameras
Vulnerabilities: Improper Authentication, Password in Configuration File
## AFFECTED PRODUCTS
Hikvision reports that the following cameras and versions are affected:
- DS-2CD2xx2F-I Series
- V5.2.0 build 140721 to V5.4.0 build 160530
- DS-2CD2xx0F-I Series
- V5.2.0 build 140721 to V5.4.0 Build 160401
- DS-2CD2xx2FWD Series
- V5.3.1 build 150410 to V5.4.4 Build 161125
- DS- 2CD4x2xFWD Serie
GHSA
GHSA-82r9-7ww3-jr86: An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5
ghsa_unreviewed·2022-05-17
CVE-2017-7921 [CRITICAL] CWE-287 GHSA-82r9-7ww3-jr86: An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5
An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
VulnCheck
Hikvision Multiple Products Improper Authentication Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-7921 [CRITICAL] CWE-287 Hikvision Multiple Products Improper Authentication Vulnerability
Hikvision Multiple Products Improper Authentication Vulnerability
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.
Affected: Hikvision Multiple Products
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=cve-2017-7921; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2017-7921; https://dashboard.shadowserver
Suricata
ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M3 (configuration retrieval) (CVE-2017-7921)
suricata·2026-03-20·CVSS 9.8
CVE-2017-7921 [CRITICAL] ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M3 (configuration retrieval) (CVE-2017-7921)
ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M3 (configuration retrieval) (CVE-2017-7921)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M3 (configuration retrieval) (CVE-2017-7921)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/System/configurationFile|3f|auth|3d|YWRtaW4"; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Sep/23; reference:cve,2017-7921; classtype:attempted-admin; sid:2068371; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2017_7921, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description
Suricata
ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M1 (user/password enumeration) (CVE-2017-7921)
suricata·2026-03-20·CVSS 9.8
CVE-2017-7921 [CRITICAL] ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M1 (user/password enumeration) (CVE-2017-7921)
ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M1 (user/password enumeration) (CVE-2017-7921)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M1 (user/password enumeration) (CVE-2017-7921)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Security/users|3f|auth|3d|YWRtaW4"; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Sep/23; reference:cve,2017-7921; classtype:attempted-admin; sid:2068369; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2017_7921, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_20
Suricata
ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M2 (snapshot retrieval) (CVE-2017-7921)
suricata·2026-03-20·CVSS 9.8
CVE-2017-7921 [CRITICAL] ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M2 (snapshot retrieval) (CVE-2017-7921)
ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M2 (snapshot retrieval) (CVE-2017-7921)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M2 (snapshot retrieval) (CVE-2017-7921)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/onvif-http/snapshot|3f|auth|3d|YWRtaW4"; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Sep/23; reference:cve,2017-7921; classtype:attempted-admin; sid:2068370; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2017_7921, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_P
Nuclei
Hikvision - Authentication Bypass
nuclei·CVSS 9.8
CVE-2017-7921 [CRITICAL] Hikvision - Authentication Bypass
Hikvision - Authentication Bypass
Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices contain an improper authentication issue. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
Template:
id:
Metasploit
Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
metasploit
Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: '"App-webs" "200 OK"'). Some of these devices can never be patched due to to the vendor preventing users from upgrading the installed firmware on the affected device. This module utilizes the bug in the authentication logic to perform an unauthenticated passwo
Metasploit
Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera
metasploit
Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera
Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera
Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: "App-webs" "200 OK"). This module allows the attacker to retrieve this information without any authentication. The information
Recorded Future
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
blogs_recorded_future·2026-04-13·CVSS 9.8
[CRITICAL] March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
## March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation , 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability ( CVE-2017-7921 affecting Hikvision) is approximately nine ye
Tenable
Iranian-linked actors are engaging in disruptive attacks
blogs_tenable·2026-03-11
Iranian-linked actors are engaging in disruptive attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
blogs_checkpoint·2026-03-04
CVE-2017-7921 Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
## Key Findings
During the ongoing conflict, we identified intensified targeting of IP cameras f
Checkpoint
2025: The Untold Stories of Check Point Research
blogs_checkpoint·2026-02-23
CVE-2025-33053 2025: The Untold Stories of Check Point Research
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## 2025: The Untold Stories of Check Point Research
## Introduction
Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in t
Tenable
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
blogs_tenable·2025-01-03
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
blogs_bleepingcomputer·2024-12-16·CVSS 9.8
[CRITICAL] FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## Sergiu Gatlan
The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.
As a private industry notification (PIN) published on Monday explains, the attackers focus their attacks on Chinese-branded devices that are still waiting for security patches or have already reached the end of life.
"In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom," the FBI said . "The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak
http://www.hikvision.com/us/about_10805.htmlhttp://www.securityfocus.com/bid/98313https://ghostbin.com/paste/q2vq2https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01http://www.hikvision.com/us/about_10805.htmlhttp://www.securityfocus.com/bid/98313https://ghostbin.com/paste/q2vq2https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/20170314/https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification--privilege-escalating-vulnerability-in-cer/https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-7921
2017-05-06
Published
2026-03-05
Added to CISA KEV
Exploited in the wild