cbcvebase.
CVE-2023-6895
published 2023-12-17

CVE-2023-6895: A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.14%
99.8th percentile
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
hikvisionintercom_broadcast_system>= 3.0.3 < 4.1.04.1.0
hikvisionintercom_broadcasting_system

Detection & IOCsextracted from sources · hover to see the quote

path/php/ping.php
commandjsondata[ip]=netstat -ano
commandjsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}
othershodan: http.favicon.hash:"-1830859634"
otherfofa: icon_hash="-1830859634"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/php/ping.php"; fast_pattern; http.request_body; content:"jsondata"; pcre:"/^(?:\x5b|%5[bB])type(?:\x5d|%5[dD])\x3d99/R"; content:"jsondata"; pcre:"/^(?:\x5b|%5[bB])ip(?:\x5d|%5[dD])\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.sentinelone.com/vulnerability-database/cve-2023-6895/; reference:cve,2023-6895; classtype:attempted-admin; sid:2068367; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2023_6895, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit is delivered via HTTP POST to /php/ping.php with Content-Type application/x-www-form-urlencoded; the body contains jsondata[type]=99 and a command injected into jsondata[ip] using shell metacharacters (;, newline, backtick, pipe, $).
  • Successful Linux command injection response body matches regex ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\); successful Windows injection matches 'Windows IP' in the response body.
  • The URI path /php/ping.php has a fixed byte size of 13; use bsize:13 in network signatures to reduce false positives.
  • Vulnerable Hikvision Intercom Broadcasting System devices can be fingerprinted via Shodan or FOFA using the favicon hash -1830859634.
  • ·The vulnerability is unauthenticated (no credentials required); exploitation is network-accessible (AV:N, PR:N) and has a very high EPSS score (0.932), indicating active exploitation in the wild.
  • ·The Snort/Suricata rule (sid:2068367) is marked for plaintext TLS state only; it will not fire on TLS-encrypted traffic.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.