Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market only, with no overseas release.
The vulnerability (CWE-141 — insufficient parameter validation) stems from the application failing to properly filter user-supplied data before passing it to a system command interpreter. An attacker can craft a malicious network request containing embedded system commands that will be executed in the context of the iSecure Center platform. The attack vector is network-based and does not require authentication or user interaction.
An attacker can obtain iSecure Center platform privileges and execute arbitrary commands on the host operating system, resulting in complete loss of system confidentiality, integrity, and availability.
Apply patches available from the manufacturer in accordance with the references: https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-04/
Selected versions of Hikvision iSecure Center software intended exclusively for the Chinese market (no version available outside China). Specific version numbers are indicated in the manufacturer's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H