Back to KEVs

CVE-2021-36260

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the...

Basic Information

CVE State: PUBLISHED
Reserved Date: July 08, 2021
Published Date: September 22, 2021
Last Updated: February 06, 2025
Vendor: n/a
Product: n/a
Description: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CVSS Scores

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-01-10 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-10-18 06:40:48 UTC) Source

References

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/ http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-01-10 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb	2025-04-29 11:01:13 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-36260.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

hikvision_cve_2021_36260_blind

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-36260

Cuerz/CVE-2021-36260

Type: github • Created: 2022-08-03 17:27:59 UTC • Stars: 149

海康威视RCE漏洞批量检测和利用工具

TaroballzChen/CVE-2021-36260-metasploit

Type: github • Created: 2021-11-03 08:11:49 UTC • Stars: 16

the metasploit script(POC) about CVE-2021-36260

Aiminsun/CVE-2021-36260

Type: github • Created: 2021-10-27 15:51:12 UTC • Stars: 266

command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

rabbitsafe/CVE-2021-36260

Type: github • Created: 2021-10-18 06:40:48 UTC • Stars: 16

CVE-2021-36260