CVE-2023-6895
published 2023-12-17CVE-2023-6895: A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.14%
99.8th percentile
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hikvision | intercom_broadcast_system | >= 3.0.3 < 4.1.0 | 4.1.0 |
| hikvision | intercom_broadcasting_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandjsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}
othershodan: http.favicon.hash:"-1830859634"
otherfofa: icon_hash="-1830859634"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/php/ping.php"; fast_pattern; http.request_body; content:"jsondata"; pcre:"/^(?:\x5b|%5[bB])type(?:\x5d|%5[dD])\x3d99/R"; content:"jsondata"; pcre:"/^(?:\x5b|%5[bB])ip(?:\x5d|%5[dD])\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.sentinelone.com/vulnerability-database/cve-2023-6895/; reference:cve,2023-6895; classtype:attempted-admin; sid:2068367; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2023_6895, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit is delivered via HTTP POST to /php/ping.php with Content-Type application/x-www-form-urlencoded; the body contains jsondata[type]=99 and a command injected into jsondata[ip] using shell metacharacters (;, newline, backtick, pipe, $).
- →Successful Linux command injection response body matches regex ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\); successful Windows injection matches 'Windows IP' in the response body.
- →The URI path /php/ping.php has a fixed byte size of 13; use bsize:13 in network signatures to reduce false positives.
- →Vulnerable Hikvision Intercom Broadcasting System devices can be fingerprinted via Shodan or FOFA using the favicon hash -1830859634.
- ·The vulnerability is unauthenticated (no credentials required); exploitation is network-accessible (AV:N, PR:N) and has a very high EPSS score (0.932), indicating active exploitation in the wild.
- ·The Snort/Suricata rule (sid:2068367) is marked for plaintext TLS state only; it will not fire on TLS-encrypted traffic.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rg52-4hvq-96p6: A vulnerability was found in Hikvision Intercom Broadcasting System 3
ghsa_unreviewed·2023-12-17
CVE-2023-6895 [MEDIUM] CWE-78 GHSA-rg52-4hvq-96p6: A vulnerability was found in Hikvision Intercom Broadcasting System 3
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. VDB-248254 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
Hikvision intercom_broadcast_system Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 6.3
CVE-2023-6895 [MEDIUM] Hikvision intercom_broadcast_system Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Hikvision intercom_broadcast_system Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
Affected: Hikvision intercom_broadcast_system
Required Action: Apply remediations or mitigations per vendor instructions or discontin
Suricata
ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895)
suricata·2026-03-20·CVSS 6.3
CVE-2023-6895 [MEDIUM] ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895)
ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/php/ping.php"; fast_pattern; http.request_body; content:"jsondata"; pcre:"/^(?:\x5b|%5[bB])type(?:\x5d|%5[dD])\x3d99/R"; content:"jsondata"; pcre:"/^(?:\x5b|%5[bB])ip(?:\x5d|%5[dD])\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.sentinelone.com/vulnerability-database/cve-2023-6895/; reference:cve,2023-6895; classtype:attempted-admin; sid:2068367; rev:1; metadata:affected_product HikV
Nuclei
Hikvision IP ping.php - Command Execution
nuclei·CVSS 9.8
CVE-2023-6895 [CRITICAL] Hikvision IP ping.php - Command Execution
Hikvision IP ping.php - Command Execution
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
Template:
id: CVE-2023-6895
info:
name: Hikvision IP ping.php - Command Execution
author: DhiyaneshDk,archer
severity: critical
description: |
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_
Tenable
Iranian-linked actors are engaging in disruptive attacks
blogs_tenable·2026-03-11
Iranian-linked actors are engaging in disruptive attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
blogs_checkpoint·2026-03-04
CVE-2017-7921 Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
## Key Findings
During the ongoing conflict, we identified intensified targeting of IP cameras f
Checkpoint
2025: The Untold Stories of Check Point Research
blogs_checkpoint·2026-02-23
CVE-2025-33053 2025: The Untold Stories of Check Point Research
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## 2025: The Untold Stories of Check Point Research
## Introduction
Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in t
Greynoiseio
NoiseLetter March 2024
blogs_greynoiseio
NoiseLetter March 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-12-17
Published
Exploited in the wild