Security Experts:

Connect with us

Hi, what are you looking for?



CISA Warns of Hikvision Camera Flaw as U.S. Aims to Rid Chinese Gear From Networks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday informed organizations that some cameras made by Chinese video surveillance vendor Hikvision are affected by a critical vulnerability.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday informed organizations that some cameras made by Chinese video surveillance vendor Hikvision are affected by a critical vulnerability.

The notification came shortly after the Federal Communications Commission (FCC) announced taking steps toward the removal of Chinese equipment from U.S. networks due to national security concerns stemming from alleged ties between manufacturers and the Chinese government.

CISA’s notification is for CVE-2021-36260, a critical command injection vulnerability affecting more than 70 Hikvision camera and NVR models. The flaw can allow a remote attacker to take complete control of a targeted device without any user interaction.

Earlier this month, the researcher who discovered the vulnerability described his findings, and Hikvision issued an advisory to inform customers about the availability of patches.

The researcher has not released too many technical details to prevent abuse, but warned that in addition to taking complete control of a device, an attacker could leverage the vulnerability to access internal networks, which can have serious consequences if the attack is aimed at a critical infrastructure organization.

One day before CISA informed organizations about the vulnerability, the FCC announced the application filing window for the “Secure and Trusted Communications Network Reimbursement Program.”

The goal of this $1.9 billion program is to help small communications services providers — ones with up to 10 million customers in the U.S. — remove, replace and dispose of communication equipment and services that can pose a national security risk. The program specifically targets products from Chinese companies Huawei and ZTE, acquired before June 2020.

In addition to communications services providers, the reimbursement program covers educational institutions, healthcare organizations, and libraries that provide communications services.

The United States over the past years has taken steps toward the complete removal of Chinese equipment from the country’s networks, including through the Secure and Trusted Communications Networks Act of 2019.

Earlier this year, the FCC named five Chinese telecom device manufacturers that allegedly pose a threat to national security, and the list included Hikvision, alongside Huawei, ZTE, Hytera, and Dahua.

Devices made by Hikvision are widely used in the United States and elsewhere, which is probably why CISA decided to warn their owners about the risks posed by the recently uncovered vulnerability.

Hikvision got into hot water earlier this year over its alleged involvement in human rights abuses against the Uyghur minority in China, with officials in the United Kingdom asking for a ban of the company.

Hikvision and the other Chinese firms accused of aiding China’s spying efforts have always denied any wrongdoing.

Related: New Bill Would Prohibit Intelligence Sharing With Countries That Use Huawei

Related: US Adds Sanctions on China’s Huawei to Limit Technology Access

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.