Reset

Privilege-Escalation Vulnerability

March 15, 2017

Dear Valued Customers and Partners:

Hikvision became aware of a privilege-escalation vulnerability that could potentially present a cybersecurity concern under certain, fairly uncommon circumstances. With this announcement, Hikvision would like to notify you that our R&D team has determined that a firmware update will be required to resolve this issue. The issue is resolved once the device is upgraded to the latest firmware.

What is the privilege-escalation vulnerability?

When a specific request code is used to access the IP cameras with particular firmware versions directly, it may allow attackers to obtain an unauthorized escalated additional user privilege to acquire or tamper with the device information.

Which Hikvision products could be affected and how are those cameras accessed?

This code error only affects the Hikvision IP cameras listed in the attached “Security Notification: Privilege-Escalation Vulnerability in Certain Hikvision IP Cameras.”

The overwhelming majority of Hikvision cameras are accessed through aconnected NVR, Hikvision iVMS software, or third-party VMS software. As such, it limits the possibility for Hikvision IP cameras to be open to public access, lowering the risk of the cybersecurity exposure. To date, Hikvision is not aware of any reports of malicious activity associated with this vulnerability.


 

How is Hikvision resolving this issue?

In the interest of protecting our customers from any potential cybersecurity threat, Hikvision is taking proactive action to make you aware of this issue, and to inform you of the firmware upgrade, readily available now, that resolves this issue.

What should users of these particular cameras do?

Hikvision is advising all users of these cameras to upgrade to the correct firmware version, which fixes this issue. Please note, for the Affected Versions' firmware listed in the table below, you may need a two-step upgrade process. We've packed all necessary firmware and a README text file into a single download file. Please follow the README instruction to upgrade your device's firmware. If you're still using HiDDNS service directly connected to your IP camera, please use v5.4.41 (v5.4.71 for DF series PTZ), which is packed in the download file. Starting with v5.4.5 (v5.4.9 for DF series PTZ) HiDDNS service is no longer supported, but only Hik-Connect is available.

Please refer to the table below.


 

Product Name

Affected Versions

Resolved Versions

Where to update firmware

DS-2CD2xx2F-I Series

V5.2.0 build 140721 to V5.4.0 Build 160530

v5.4.5 Build 170123 and later

Download Link

DS-2CD2xx0F-I Series

V5.2.0 build 140721 to V5.4.0 Build 160401

v5.4.5 Build 170123 and later

Download Link

DS-2CD2xx2FWD Series

V5.3.1 build 150410 to V5.4.4 Build 161125

v5.4.5 Build 170124 and later

Download Link

DS-2CD4x2xFWD Series

V5.2.0 build 140721 to V5.4.0 Build 160414

v5.4.5 Build 170228 and later

Download Link

DS-2CD4xx5 Series

V5.2.0 build 140721 to V5.4.0 Build 160421

v5.4.5 Build 170302 and later

Download Link

DS-2DFx Series

V5.2.0 build 140805 to V5.4.5 Build 160928

v5.4.9 Build 170123 and later

Download Link

DS-2CD63xx Series

V5.0.9 build 140305 to V5.3.5 Build 160106

v 5.4.5 Build 170206 and later

Download Link

Cybersecurity risk is one of the biggest ongoing challenges facing the security industry today. As your trusted partner, we believe it's our responsibility to be vigilant and transparent about cybersecurity threats, to keep you informed, and to employ the industry's best practices. We encourage our partners to take advantage of the many cybersecurity resources Hikvision offers, including the Hikvision Security Center - an industry-leading cybersecurity resource. At the Security Center you can find detailed information about the Hikvision Network and Information Security Lab, third-party and internal testing, and third-party certifications. Additionally, customers can also contact Tech Support or their Hikvision representative anytime with any concerns or questions.

Thank you for your continued support.

Team Hikvision USA Inc. & Hikvision Canada Inc.

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).