CVE DATABASE / CVE-2021-36260
CVE-2021-36260
Hikvision Improper Input Validation
CVSS 9.8 · CRITICAL
⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2022-01-10.
Federal remediation due 2022-01-24.
Required action: Apply updates per vendor instructions.
Summary
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Hikvision ds-2cd2026g2-iu\/sl firmwareHikvision ds-2cd2026g2-iu\/slHikvision ds-2cd2046g2-iu\/sl firmwareHikvision ds-2cd2046g2-iu\/slHikvision ds-2cd2066g2-i\(u\) firmwareHikvision ds-2cd2066g2-i\(u\)Hikvision ds-2cd2066g2-iu\/sl firmwareHikvision ds-2cd2066g2-iu\/slHikvision ds-2cd2086g2-i\(u\) firmwareHikvision ds-2cd2086g2-i\(u\)Hikvision ds-2cd2086g2-iu\/sl firmwareHikvision ds-2cd2086g2-iu\/slHikvision ds-2cd2166g2-i\(su\) firmwareHikvision ds-2cd2166g2-i\(su\)Hikvision ds-2cd2186g2-i\(su\) firmwareHikvision ds-2cd2186g2-i\(su\)Hikvision ds-2cd2186g2-isu firmwareHikvision ds-2cd2186g2-isuHikvision ds-2cd2326g2-isu\/sl firmwareHikvision ds-2cd2326g2-isu\/sl
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html
- http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html
- https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/
- https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36260
Data: NIST NVD + CISA KEV. NVD last modified 2025-11-10. Always verify against the vendor advisory before acting.