cbcvebase.
CVE-2022-28171
published 2022-06-27

CVE-2022-28171: The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
49.86%
98.8th percentile
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.

Affected

13 ranges
VendorProductVersion rangeFixed in
hikvisionds-a71024_firmware<= 2.3.8-6
hikvisionds-a71024_firmware<= 1.1.4
hikvisionds-a71048_firmware<= 2.3.8-6
hikvisionds-a71048r-cvs_firmware<= 1.1.4
hikvisionds-a71072r_firmware<= 2.3.8-6
hikvisionds-a72024_firmware<= 2.3.8-6
hikvisionds-a72024_firmware<= 1.1.4
hikvisionds-a72048r-cvs_firmware<= 1.1.4
hikvisionds-a72072r_firmware<= 2.3.8-6
hikvisionds-a80316s_firmware<= 2.3.8-6
hikvisionds-a80624s_firmware<= 2.3.8-6
hikvisionds-a81016s_firmware<= 2.3.8-6
hikvisionds-a82024d_firmware<= 2.3.8-6

Detection & IOCsextracted from sources · hover to see the quote

url/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'
path/web/log/dynamic_log.php
port2004
command' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid}, SLEEP({sleep_time}), 0))-- -
  • Detect blind SQL injection attempts against the vulnerable endpoint by monitoring GET requests to /web/log/dynamic_log.php with the 'downloadtype' parameter containing SQL sleep/time-delay payloads (e.g., sleep(), SELECT IF(...)).
  • Monitor for anomalously long HTTP response times (>=10–20 seconds) on requests to /web/log/dynamic_log.php, which is indicative of time-based blind SQL injection exploitation.
  • Alert on HTTP GET requests to port 2004 targeting /web/log/dynamic_log.php with query parameters containing SQL metacharacters or subquery patterns such as (select*from(select(sleep(...)))a).
  • The exploit routes traffic through a local proxy on localhost:8080; lateral movement or testing activity may be visible as requests originating from loopback proxy infrastructure.
  • ·Exploitation requires the attacker to be on the same network as the target device; this is not a remotely exploitable vulnerability from the open internet.
  • ·The vulnerable web module listens on a non-standard port (2004); ensure network monitoring and firewall rules cover this port for affected Hikvision Hybrid SAN/Cluster Storage devices.
  • ·Multiple vulnerability classes are present beyond SQL injection, including command injection, HTTP request smuggling, and reflected XSS — detection coverage should address all attack surfaces.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.