CVE-2022-28171: Command Injection
First published: Mon Jun 27 2022(Updated: )
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
Credit: Thurein Soe hsrc@hikvision.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hikvision DS-A71024 | <=2.3.8-6 | |
| Hikvision DS-A71024 Firmware | ||
| Hikvision DS-A71048 Firmware | <=2.3.8-6 | |
| Hikvision DS-A71048 | ||
| Hikvision DS-A71072R Firmware | <=2.3.8-6 | |
| Hikvision DS-A71072R Firmware | ||
| Hikvision DS-A80624S Firmware | <=2.3.8-6 | |
| Hikvision DS-A80624S Firmware | ||
| Hikvision DS-A81016S | <=2.3.8-6 | |
| Hikvision DS-A81016S Firmware | ||
| Hikvision DS-A72024 | <=2.3.8-6 | |
| Hikvision DS-A72024 Firmware | ||
| Hikvision DS-A72072R | <=2.3.8-6 | |
| Hikvision DS-A72072R Firmware | ||
| Hikvision DS-A80316S | <=2.3.8-6 | |
| Hikvision DS-A80316S | ||
| Hikvision DS-A82024D | <=2.3.8-6 | |
| Hikvision DS-A82024D Firmware | ||
| Hikvision DS-A71024 | <=1.1.4 | |
| Hikvision DS-A71048R-CVS | <=1.1.4 | |
| Hikvision DS-A71048R-CVS Firmware | ||
| Hikvision DS-A72024 | <=1.1.4 | |
| Hikvision DS-A72048R-CVS | <=1.1.4 | |
| Hikvision DS-A72048R-CVS Firmware |
Remedy
https://www.hikvision.com/content/dam/hikvision/en/support/cybersecyrity/security-advisory/Patch-for-Fixing-Security-Vulnerability-of-Hybrid-SAN-&-Cluster-Storage.zip
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.exploit-db.com/exploits/51607
- http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html
- http://packetstormsecurity.com/files/173653/Hikvision-Hybrid-SAN-Ds-a71024-SQL-Injection.html
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/
Frequently Asked Questions
What is CVE-2022-28171?
CVE-2022-28171 is a security vulnerability present in some Hikvision Hybrid SAN/Cluster Storage products that allows attackers to execute restricted commands.
Which Hikvision products are affected by CVE-2022-28171?
Hikvision Ds-a71024, Hikvision Ds-a71048, Hikvision Ds-a71072r, Hikvision Ds-a80624s, Hikvision Ds-a81016s, Hikvision Ds-a72024, Hikvision Ds-a72072r, Hikvision Ds-a80316s, and Hikvision Ds-a82024d are affected by CVE-2022-28171.
What is the severity of CVE-2022-28171?
CVE-2022-28171 has a severity rating of 9.8, which is considered critical.
How can an attacker exploit CVE-2022-28171?
Attackers can exploit CVE-2022-28171 by sending messages with malicious commands to the affected device, taking advantage of insufficient input validation.
Are there any known references for CVE-2022-28171?
Yes, you can find references for CVE-2022-28171 at the following links: [Exploit-DB](https://www.exploit-db.com/exploits/51607), [Packet Storm Security](http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html), [Packet Storm Security](http://packetstormsecurity.com/files/173653/Hikvision-Hybrid-SAN-Ds-a71024-SQL-Injection.html)
- exploited/true
- collector/exploitdb-recent
- alias/CVE-2022-28171
- agent/type
- agent/severity
- agent/references
- agent/weakness
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/hikvision
- canonical/hikvision ds-a71024
- version/hikvision ds-a71024/2.3.8-6
- canonical/hikvision ds-a71024 firmware
- canonical/hikvision ds-a71048 firmware
- version/hikvision ds-a71048 firmware/2.3.8-6
- canonical/hikvision ds-a71048
- canonical/hikvision ds-a71072r firmware
- version/hikvision ds-a71072r firmware/2.3.8-6
- canonical/hikvision ds-a80624s firmware
- version/hikvision ds-a80624s firmware/2.3.8-6
- canonical/hikvision ds-a81016s
- version/hikvision ds-a81016s/2.3.8-6
- canonical/hikvision ds-a81016s firmware
- canonical/hikvision ds-a72024
- version/hikvision ds-a72024/2.3.8-6
- canonical/hikvision ds-a72024 firmware
- canonical/hikvision ds-a72072r
- version/hikvision ds-a72072r/2.3.8-6
- canonical/hikvision ds-a72072r firmware
- canonical/hikvision ds-a80316s
- version/hikvision ds-a80316s/2.3.8-6
- canonical/hikvision ds-a82024d
- version/hikvision ds-a82024d/2.3.8-6
- canonical/hikvision ds-a82024d firmware
- version/hikvision ds-a71024/1.1.4
- canonical/hikvision ds-a71048r-cvs
- version/hikvision ds-a71048r-cvs/1.1.4
- canonical/hikvision ds-a71048r-cvs firmware
- version/hikvision ds-a72024/1.1.4
- canonical/hikvision ds-a72048r-cvs
- version/hikvision ds-a72048r-cvs/1.1.4
- canonical/hikvision ds-a72048r-cvs firmware