cbcvebase.
CVE-2021-36260
published 2021-09-22

CVE-2021-36260: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-01-24
Exploited in the wild
EPSS
99.87%
100.0th percentile
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

Affected

19 ranges
VendorProductVersion rangeFixed in
hikvisionds-7104ni-q1_4p_firmware4.30.300 – 4.31.100
hikvisionds-7104ni-q1_4p_m_firmware4.30.300 – 4.31.100
hikvisionds-7104ni-q1_firmware4.30.300 – 4.31.100
hikvisionds-7104ni-q1_m_firmware4.30.300 – 4.31.100
hikvisionds-7108ni-q1_8p_firmware4.30.300 – 4.31.100
hikvisionds-7108ni-q1_8p_m_firmware4.30.300 – 4.31.100
hikvisionds-7108ni-q1_firmware4.30.300 – 4.31.100
hikvisionds-7108ni-q1_m_firmware4.30.300 – 4.31.100
hikvisionds-7604ni-q1_4p_firmware4.30.210 – 4.31.000
hikvisionds-7604ni-q1_firmware4.30.210 – 4.31.000
hikvisionds-7608ni-k1_8p_4g_firmware4.30.210 – 4.31.000
hikvisionds-7608ni-q1_8p_firmware4.30.210 – 4.31.000
hikvisionds-7608ni-q1_firmware4.30.210 – 4.31.000
hikvisionds-7608ni-q2_8p_firmware4.30.210 – 4.31.000
hikvisionds-7608ni-q2_firmware4.30.210 – 4.31.000
hikvisionds-7616ni-k1_firmware4.30.210 – 4.31.000
hikvisionds-7616ni-q1_firmware4.30.210 – 4.31.000
hikvisionds-7616ni-q2_16p_firmware4.30.210 – 4.31.000
hikvisionds-7616ni-q2_firmware4.30.210 – 4.31.000

Detection & IOCsextracted from sources · hover to see the quote

hash1DCE6F3BA4A8D355DF21A17584C514697EE0C37B51AB5657BC5B3A297B65955F
hash38414BB5850A7076F4B33BF81BAC9DB0376A4DF188355FAC39D80193D7C7F557
domainlife.zerobytes.cc
  • Moobot C2 heartbeat uses a two-byte null packet (\x00\x00); detect this pattern in outbound TCP sessions from camera/NVR devices to identify C2 beaconing.
  • Moobot config is XOR-encoded with key 0x22; use this to decode and extract C2 addresses from captured samples or memory dumps.
  • CVE-2021-36260 exploitation injects malicious commands into a specific XML/web-server tag; monitor Hikvision web server logs for unexpected tag content or anomalous HTTP requests to the web server component.
  • FortiGuard IPS signature 'Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection' (released in IPS definition version 18.192) detects CVE-2021-36260 exploitation attempts.
  • Iran-nexus scanning infrastructure uses commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS; correlate inbound scan traffic from these providers against Hikvision/Dahua devices as a threat-hunting pivot.
  • ·CVE-2021-36260 is exploitable by unauthenticated attackers; no credentials are required to trigger the command injection via the Hikvision web server component.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.