The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday informed organizations that some cameras made by Chinese video surveillance vendor Hikvision are affected by a critical vulnerability.
The notification came shortly after the Federal Communications Commission (FCC) announced taking steps toward the removal of Chinese equipment from U.S. networks due to national security concerns stemming from alleged ties between manufacturers and the Chinese government.
CISA’s notification is for CVE-2021-36260, a critical command injection vulnerability affecting more than 70 Hikvision camera and NVR models. The flaw can allow a remote attacker to take complete control of a targeted device without any user interaction.
Earlier this month, the researcher who discovered the vulnerability described his findings, and Hikvision issued an advisory to inform customers about the availability of patches.
The researcher has not released too many technical details to prevent abuse, but warned that in addition to taking complete control of a device, an attacker could leverage the vulnerability to access internal networks, which can have serious consequences if the attack is aimed at a critical infrastructure organization.
One day before CISA informed organizations about the vulnerability, the FCC announced the application filing window for the “Secure and Trusted Communications Network Reimbursement Program.”
The goal of this $1.9 billion program is to help small communications services providers — ones with up to 10 million customers in the U.S. — remove, replace and dispose of communication equipment and services that can pose a national security risk. The program specifically targets products from Chinese companies Huawei and ZTE, acquired before June 2020.
In addition to communications services providers, the reimbursement program covers educational institutions, healthcare organizations, and libraries that provide communications services.
The United States over the past years has taken steps toward the complete removal of Chinese equipment from the country’s networks, including through the Secure and Trusted Communications Networks Act of 2019.
Earlier this year, the FCC named five Chinese telecom device manufacturers that allegedly pose a threat to national security, and the list included Hikvision, alongside Huawei, ZTE, Hytera, and Dahua.
Devices made by Hikvision are widely used in the United States and elsewhere, which is probably why CISA decided to warn their owners about the risks posed by the recently uncovered vulnerability.
Hikvision got into hot water earlier this year over its alleged involvement in human rights abuses against the Uyghur minority in China, with officials in the United Kingdom asking for a ban of the company.
Hikvision and the other Chinese firms accused of aiding China’s spying efforts have always denied any wrongdoing.