Hikvision Multiple Product Vulnerabilities Allow Privilege Escalation Attacks
Federal agencies have been ordered to patch a critical authentication flaw affecting multiple Hikvision products after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 5, 2026. The directive gives federal civilian agencies until March 26, 2026, to apply mitigations or discontinue use of affected products.
The vulnerability, tracked as CVE-2017-7921, stems from an improper authentication weakness embedded across a wide range of Hikvision surveillance and network products.
Despite being disclosed in 2017, the flaw continues to pose a significant risk in production environments where legacy devices remain unpatched, a common scenario in critical infrastructure sectors that rely on IP-based camera and monitoring systems.
CVE-2017-7921 is rooted in CWE-287 (Improper Authentication), a weakness where the system fails to properly verify the identity of users or processes attempting to access restricted resources. In this case, a malicious actor can exploit the flaw without requiring full administrative credentials, effectively bypassing authentication controls built into Hikvision’s firmware.
Once exploited, the attacker gains the ability to escalate privileges on the target system, moving from limited access to elevated control. This opens the door to the exfiltration of sensitive data, including camera feeds, configuration files, and stored credentials, and potentially allows an adversary to pivot deeper into the network infrastructure connected to the compromised device.
According to CISA, the attack surface is particularly concerning given Hikvision’s widespread global deployment across government facilities, hospitals, transportation networks, and enterprise environments. Internet-exposed Hikvision devices with default or weak credentials have long been a favored target for threat actors, and this authentication bypass only amplifies that risk.
Under Binding Operational Directive (BOD) 22-01, CISA’s KEV listing carries mandatory remediation requirements for all Federal Civilian Executive Branch (FCEB) agencies. Organizations are directed to apply vendor-issued mitigations immediately, follow BOD 22-01 guidance for cloud-hosted instances, or discontinue use of the product entirely if patches are unavailable.
While CISA’s KEV catalog formally applies to federal entities, the agency strongly urges private-sector organizations, especially those operating critical infrastructure, to treat the catalog as a prioritized patching baseline.
The ransomware campaign associated with this CVE remains unknown, though historically, unpatched Hikvision devices have been incorporated into botnets and used as footholds in broader network intrusions.
- Apply the latest firmware updates from Hikvision for all affected product lines immediately.
- Audit internet-facing Hikvision devices and remove direct exposure where not operationally necessary.y
- Enforce network segmentation to isolate surveillance systems from core infrastructure.
- Rotate all default credentials and enforce strong authentication policies across all connected devices.
- Monitor nlogsork logs for anomalous authentication attempts or privilege escalation indicators.
Organizations that cannot apply patches before the deadline should consider taking affected devices offline to limit exposure until remediation is complete.
Site: cybersecuritypath.com
About the Author
