Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV hacking, according to the researchers who found it.
In an advisory published on December 16, Hikvision revealed that two of its wireless bridge products, designed for elevator and other video surveillance systems, are affected by CVE-2022-28173, a critical access control vulnerability.
The security hole can be exploited by sending specially crafted messages to affected devices, allowing the attacker to gain administrator permissions.
Firmware patches have been made available for DS-3WF0AC-2NT and DS-3WF01C-2N/O products. The issue was reported to the vendor in September through CERT India and a patch was released earlier this month.
Souvik Kandar and Arko Dhar of India-based CCTV and IoT cybersecurity company Redinent Innovations have been credited for reporting the vulnerability.
In an advisory published this week, Redinent explained that the flaw is caused by improper parameter handling by the product’s web-based management interface. An attacker can exploit the weakness to gain admin access to the management interface by sending a specially crafted request with a payload that does not exceed 200 bytes.
“Post exploitation, the administrative session persists with full access to all functions of the bridge interface,” the advisory explains.
Redinent’s Arko Dhar told SecurityWeek that CVE-2022-28173 can be exploited from the local network by an insider or a threat actor that has gained access to the organization’s network, and directly from the internet if a vulnerable device is exposed to the web.
According to Dhar, Shodan and Censys searches do show such devices being directly accessible from the internet, and they are likely vulnerable if they haven’t been patched.
Once the attacker has successfully exploited the vulnerability, they can intercept network traffic or hack CCTV systems.
“Typically these devices are used for transmission of CCTV video streams from cameras inside an elevator to a command center or security operations console,” the researcher explained. “An attacker can disable or shut down the video feed as part of a planned physical incident — for example, coordinated robbery or theft — or snoop on people.”
In a notification sent to partners, Hikvision clarified that products offered in the US market are not impacted by the vulnerability.
The United States recently restricted the use of China-made video surveillance systems, including ones made by Hikvision, citing an “unacceptable risk” to national security.
Hikvision’s notification to partners regarding CVE-2022-28173 noted that the company is committed to working with third-party researchers to patch vulnerabilities in its products.
In addition, the notification informs partners, “Hikvision strictly complies with the laws and regulations in all countries and regions where we operate and we apply the highest standards of cybersecurity practices in an effort to best protect the users of Hikvision products around the world.”