CVE-2021-36260
published 2021-09-22CVE-2021-36260: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-01-24
Exploited in the wild
EPSS
99.87%
100.0th percentile
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hikvision | ds-7104ni-q1_4p_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7104ni-q1_4p_m_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7104ni-q1_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7104ni-q1_m_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7108ni-q1_8p_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7108ni-q1_8p_m_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7108ni-q1_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7108ni-q1_m_firmware | 4.30.300 – 4.31.100 | — |
| hikvision | ds-7604ni-q1_4p_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7604ni-q1_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7608ni-k1_8p_4g_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7608ni-q1_8p_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7608ni-q1_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7608ni-q2_8p_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7608ni-q2_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7616ni-k1_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7616ni-q1_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7616ni-q2_16p_firmware | 4.30.210 – 4.31.000 | — |
| hikvision | ds-7616ni-q2_firmware | 4.30.210 – 4.31.000 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Moobot C2 heartbeat uses a two-byte null packet (\x00\x00); detect this pattern in outbound TCP sessions from camera/NVR devices to identify C2 beaconing. ↗
- →Moobot config is XOR-encoded with key 0x22; use this to decode and extract C2 addresses from captured samples or memory dumps. ↗
- →CVE-2021-36260 exploitation injects malicious commands into a specific XML/web-server tag; monitor Hikvision web server logs for unexpected tag content or anomalous HTTP requests to the web server component. ↗
- →FortiGuard IPS signature 'Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection' (released in IPS definition version 18.192) detects CVE-2021-36260 exploitation attempts. ↗
- →Iran-nexus scanning infrastructure uses commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS; correlate inbound scan traffic from these providers against Hikvision/Dahua devices as a threat-hunting pivot. ↗
- ·CVE-2021-36260 is exploitable by unauthenticated attackers; no credentials are required to trigger the command injection via the Hikvision web server component. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v276-9v2g-hx55: A command injection vulnerability in the web server of some Hikvision product
ghsa_unreviewed·2022-05-24
CVE-2021-36260 [CRITICAL] CWE-20 GHSA-v276-9v2g-hx55: A command injection vulnerability in the web server of some Hikvision product
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
VulnCheck
Hikvision Improper Input Validation
vulncheck·2021·CVSS 9.8
CVE-2021-36260 [CRITICAL] CWE-78 Hikvision Improper Input Validation
Hikvision Improper Input Validation
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
Affected: Hikvision Security cameras web server
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cisa.gov/uscert/ncas/alerts/aa22-279a; https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; https://blog.netlab.360.com/new-ddos-botnet-wszeor/; https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-ca
CISA
Hikvision Improper Input Validation
cisa·2022-01-10·CVSS 9.8
CVE-2021-36260 [CRITICAL] CWE-78 Hikvision Improper Input Validation
Vulnerability: Hikvision Improper Input Validation
Affected: Hikvision Security cameras web server
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-36260
Remediation Due Date: 2022-01-24
Suricata
ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)
suricata·2021-12-08·CVSS 9.8
CVE-2021-36260 [CRITICAL] ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)
ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; bsize:16; content:"/SDK/webLanguage"; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:3; metadata:affecte
Exploit-DB
Hikvision Web Server Build 210702 - Command Injection
exploitdb·2021-10-25·CVSS 9.8
CVE-2021-36260 [CRITICAL] Hikvision Web Server Build 210702 - Command Injection
Hikvision Web Server Build 210702 - Command Injection
---
# Exploit Title: Hikvision Web Server Build 210702 - Command Injection
# Exploit Author: bashis
# Vendor Homepage: https://www.hikvision.com/
# Version: 1.0
# CVE: CVE-2021-36260
# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
# All credit to Watchful_IP
#!/usr/bin/env python3
"""
Note:
1) This code will _not_ verify if remote is Hikvision device or not.
2) Most of my interest in this code has been concentrated on how to
reliably detect vulnerable and/or exploitable devices.
Some devices are easy to detect, verify and exploit the vulnerability,
other devices may be vulnerable but not so easy to verify and exploit.
I think the combined verification code should have very high accu
Metasploit
Hikvision IP Camera Unauthenticated Command Injection
metasploit·CVSS 9.8
CVE-2021-36260 [CRITICAL] Hikvision IP Camera Unauthenticated Command Injection
Hikvision IP Camera Unauthenticated Command Injection
This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the `/SDK/webLanguage` endpoint, resulting in command execution as the `root` user. This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.
Nuclei
Hikvision IP camera/NVR - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-36260 [CRITICAL] Hikvision IP camera/NVR - Remote Command Execution
Hikvision IP camera/NVR - Remote Command Execution
Certain Hikvision products contain a command injection vulnerability in the web server due to the insufficient input validation. An attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
Template:
id: CVE-2021-36260
info:
name: Hikvision IP camera/NVR - Remote Command Execution
author: pdteam,gy741,johnk3r
severity: critical
description: Certain Hikvision products contain a command injection vulnerability in the web server due to the insufficient input validation. An attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
impact: |
Successful exploitation of this vulnerability allows an attacker t
Nuclei
Hikvision Security Checks
nuclei·CVSS 9.8
CVE-2021-36260 [CRITICAL] Hikvision Security Checks
Hikvision Security Checks
A simple workflow that runs all Hikvision related nuclei templates on a given target.
Template:
id: hikvision-workflow
info:
name: Hikvision Security Checks
author: pdteam
description: A simple workflow that runs all Hikvision related nuclei templates on a given target.
workflows:
- template: http/technologies/hikvision-detect.yaml
subtemplates:
- template: http/cves/2021/CVE-2021-36260.yaml
Nuclei
Hikvision IP Camera - Info Exposure
nuclei·CVSS 9.8
CVE-2021-36260 [CRITICAL] Hikvision IP Camera - Info Exposure
Hikvision IP Camera - Info Exposure
Unauthenticated exposure of sensitive endpoints was detected on vulnerable Hikvision IP cameras. This included live snapshot feeds, encrypted configuration files, and full user credential XML through CVE-2021-36260 exploit chaining and bypass logic.
Template:
id: hikvision-cam-info-exposure
info:
name: Hikvision IP Camera - Info Exposure
author: AbdulrahmanTamim
severity: high
description: |
Unauthenticated exposure of sensitive endpoints was detected on vulnerable Hikvision IP cameras. This included live snapshot feeds, encrypted configuration files, and full user credential XML through CVE-2021-36260 exploit chaining and bypass logic.
reference:
- https://www.exploit-db.com/exploits/45231
- https://www.cve.org/CVERecord?id=CVE-2021-36260
- https://
Hackernews
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
blogs_hackernews·2026-06-26·CVSS 9.8
CVE-2021-26855 [CRITICAL] New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.
Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Ne
Securelist
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
blogs_securelist·2026-06-24
CVE-2021-26855 StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Fareed Radzi
Table of Contents
Introduction
Initial infection
Exploitation of public-facing applications
Dropper-based distribution
SharkLoader installation
SharkLoader DLL – Main implant
“PerfectDLL Hijacking” technique
Decryption and loading of >DscCoreR.mui
DscCoreR.mui and SyncRes.dat DLLs
Decryption and loading of SyncRes.dat
SyncRes.dat decrypted DLL: Multiple API hooks
VEH registration and access violation handling
Thread creation for Cobalt Strike Beacon execution
MinHook DLL, API hooking, and Cobalt Strike beacon
Persistence mechanism
Post-compromise activity
Victimology
Attribution
Conclusion
Indicators of compromise
Authors
Fareed Radzi
## Introduction
During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previo
Tenable
Iranian-linked actors are engaging in disruptive attacks
blogs_tenable·2026-03-11
Iranian-linked actors are engaging in disruptive attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
blogs_checkpoint·2026-03-04
CVE-2017-7921 Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
## Key Findings
During the ongoing conflict, we identified intensified targeting of IP cameras f
Tenable
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
blogs_tenable·2025-01-03
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
blogs_bleepingcomputer·2024-12-16·CVSS 9.8
[CRITICAL] FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## Sergiu Gatlan
The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.
As a private industry notification (PIN) published on Monday explains, the attackers focus their attacks on Chinese-branded devices that are still waiting for security patches or have already reached the end of life.
"In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom," the FBI said . "The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak
Qualys
NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
blogs_qualys·2022-10-07·CVSS 10.0
[CRITICAL] NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
## Table of Contents
Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
Identify Vulnerable Assets using Qualys Threat Protection
Recommendations & Mitigations
Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and I
Qualys
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
blogs_qualys·2022-10-07
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
#### Table of Contents
- Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
- Identify Vulnerable Assets using Qualys Threat Protection
- Recommendations & Mitigations
- Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurit
Tenable
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
blogs_tenable·2022-10-07
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Kaspersky Q4 2021 DDoS attack report
blogs_securelist·2022-02-10·CVSS 9.8
[CRITICAL] Kaspersky Q4 2021 DDoS attack report
Table of Contents
- News roundup
- Quarter and year trends
- DDoS attack statistics
- Conclusion
Authors
- Alexander Gutnikov
- Oleg Kupreev
- Yaroslav Shmelev
## News roundup
Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking group. This is further evidence that the same botnets are often used for mining and DDoS.
The EwDoor botnet, which first came to researchers’ attention in late October, turned out
Securelist
DDoS attacks in Q4 2021
blogs_securelist·2022-02-10·CVSS 9.8
[CRITICAL] DDoS attacks in Q4 2021
Table of Contents
News roundup
Quarter and year trends
DDoS attack statistics
Methodology
Quarter summary
DDoS attacks geography
Dynamics of the number of DDoS attacks
Duration and types of DDoS attacks
Geographic distribution of botnets
Attacks on IoT honeypots
Conclusion
Authors
Alexander Gutnikov
Oleg Kupreev
Yaroslav Shmelev
## News roundup
Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking
Checkpoint
13th December – Threat Intelligence Report
blogs_checkpoint·2021-12-13
CVE-2021-44228 13th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research warns of potential ransomware attacks as samples of Emotet are fast-spreading via Trickbot. Since the Emotet takedown 10 months ago, CPR has spotted over 140,000 victims of Trickbot, across 149 countries, which might now be converted into Emotet, providing ransomware gangs a backdoor into compromise
Fortinet
Mirai-based Botnet - Moobot Targets Hikvision Vulnerability | FortiGuard Labs
blogs_fortinet·2021-12-06·CVSS 9.8
CVE-2021-36260 [CRITICAL] Mirai-based Botnet - Moobot Targets Hikvision Vulnerability | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Mirai-based Botnet - Moobot Targets Hikvision Vulnerability
By Cara Lin | December 06, 2021
Last September 18th, a threat researcher released a write-up about a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world. Hikvision is a CVE CNA and quickly assigned the CVE number, CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher’s disclosure. Shortly after, FortiGuard Labs developed an IPS signature to address it.
During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention.
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub
arxiv_fulltext·2023-06-07
Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub
Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub
Soufian El Yadmani, Robin The, Olga Gadyatskaya
Leiden Institute of Advanced Computer Science, Leiden University
## Abstract
\
Exploit proof-of-concepts (PoCs) for known vulnerabilities are widely shared in the security community. They help security analysts to learn from each other and they facilitate security assessments and red teaming tasks. In the recent years, PoCs have been widely distributed, e.g., via dedicated websites and platforms, and public code repositories such as GitHub. However, there is no guarantee that PoCs in public code repositories come from trustworthy sources or even that they do what they are supposed to do.
In this work we investigate GitHub-hosted PoCs for known vulnerabili
http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.htmlhttp://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.htmlhttps://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdfhttps://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.htmlhttp://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.htmlhttps://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdfhttps://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36260
2021-09-22
Published
2022-01-10
Added to CISA KEV
Exploited in the wild