Hikvision Hikvision

  1. Vendors
  2. Hikvision

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Hikvision product.

RSS Feeds for Hikvision security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Hikvision products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Hikvision Sorted by Most Security Vulnerabilities since 2018

Hikvision Hikcentral Professional3 vulnerabilities

Hikvision Csmp Isecure Center2 vulnerabilities

Hikvision Hikcentral Master2 vulnerabilities

Hikvision Isecure Center2 vulnerabilities

Hikvision Localservicecomponents2 vulnerabilities

Hikvision Ds 2cd2432f Iw Firmware1 vulnerability

Hikvision Ds D5b86rbb Firmware1 vulnerability

Hikvision Dvr Firmware1 vulnerability

Hikvision Ip Cameras1 vulnerability

Known Exploited Hikvision Vulnerabilities

The following Hikvision vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Hikvision Multiple Products Improper Authentication Vulnerability Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.
CVE-2017-7921 Exploit Probability: 94.3% 		March 5, 2026
Hikvision Improper Input Validation A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
CVE-2021-36260 Exploit Probability: 94.4% 		January 10, 2022

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 3 vulnerabilities in Hikvision with an average score of 8.3 out of ten. Last year, in 2025 Hikvision had 7 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Hikvision in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.12.




Year Vulnerabilities Average Score
2026 3 8.27
2025 7 8.15
2024 6 7.30
2023 3 7.93
2022 0 0.00
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 2 0.00

It may take a day or so for new Hikvision vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Hikvision Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-0709 Jan 30, 2026
Hikvision Wireless AP Authenticated Cmd Exec via Unvalidated Input Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
CVE-2025-66177 Jan 13, 2026
Stack Overflow in Hikvision NVR Search & Discovery There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.
CVE-2025-66176 Jan 13, 2026
Stack Overflow in Hikvision AC Search & Discovery (CVE-2025-66176) There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.
CVE-2025-66174 Dec 19, 2025
Hikvision DVR Serial Port Authentication Bypass There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands.
CVE-2025-66173 Dec 19, 2025
Hikvision DVR Priv Esc via Serial Port Auth There is a privilege escalation vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and gaining access to an unrestricted shell environment.
CVE-2023-53691 Oct 22, 2025
Hikvision CSMP iSecure Center File Upload CVE-2023-53691 Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2023-06-25 allows file upload via /center/api/files directory traversal, as exploited in the wild in 2024 and 2025.
Csmp Isecure Center
CVE-2024-58274 Oct 22, 2025
Command Injection via JSON $( ) in Hikvision CSMP iSecure Center Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2024-08-01 allows execution of a command within $( ) in /center/api/installation/detection JSON data, as exploited in the wild in 2024 and 2025.
Csmp Isecure Center
CVE-2023-28815 Oct 17, 2025
Hikvision iSecure Center: Command Injection via Par Validation (CVE-2023-28815) Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market only, with no overseas release.
Isecure Center
CVE-2023-28814 Oct 17, 2025
Hikvision iSecure Center Improper File Upload Vulnerability Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
Isecure Center
CVE-2025-34067 Jul 02, 2025
Remote Command Execution in Hikvision applyCT via Fastjson Deserialization An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
CVE-2024-47487 Oct 18, 2024
HikCentral Pro SQLi Enables Authenticated Query Execution There is a SQL injection vulnerability in some HikCentral Professional versions. This could allow an authenticated user to execute arbitrary SQL queries.
Hikcentral Professional
CVE-2024-47486 Oct 18, 2024
HikCentral Master Lite XSS Script Injection via Malicious Data There is an XSS vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could inject scripts into certain pages by building malicious data.
Hikcentral Master
CVE-2024-47485 Oct 18, 2024
HikCentral Master Lite CSV Injection CVE-2024-47485 There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file.
Hikcentral Master
CVE-2023-33806 Apr 15, 2024
Hikvision DS-D5B86RB/B V2.3.0 Insecure Default Config => Remote CMD Exec Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B V2.3.0 build220119, allows attackers to execute arbitrary commands.
Ds D5b86rbb Firmware
CVE-2024-25063 Mar 02, 2024
Unauthorized URL Access via Insufficient server-side validation (CVE-2024-25063) Due to insufficient server-side validation, a successful exploit of this vulnerability could allow an attacker to gain access to certain URLs that the attacker should not have access to.
Hikcentral Professional
CVE-2024-25064 Mar 02, 2024
Insufficient Server-Side Validation Allows Privileged Resource Access Due to insufficient server-side validation, an attacker with login privileges could access certain resources that the attacker should not have access to by changing parameter values.
Hikcentral Professional
CVE-2023-28813 Nov 23, 2023
Plugin Parameter Modification via Crafted Messages Malicious File Download An attacker could exploit a vulnerability by sending crafted messages to computers installed with this plug-in to modify plug-in parameters, which could cause affected computers to download malicious files.
Localservicecomponents
CVE-2023-28812 Nov 23, 2023
Adobe Flash Plug-in Buffer Overflow Remote Code Execution There is a buffer overflow vulnerability in a web browser plug-in could allow an attacker to exploit the vulnerability by sending crafted messages to computers installed with this plug-in, which could lead to arbitrary code execution or cause process exception of the plug-in.
Localservicecomponents
CVE-2023-28811 Nov 23, 2023
Buffer Overflow in Hikvision NVR/DVR Password Recovery (LAN) There is a buffer overflow in the password recovery feature of Hikvision NVR/DVR models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.
Dvr Firmware
CVE-2018-6414 Aug 13, 2018
A buffer overflow vulnerability in the web server of some Hikvision IP Cameras A buffer overflow vulnerability in the web server of some Hikvision IP Cameras allows an attacker to send a specially crafted message to affected devices. Due to the insufficient input validation, successful exploit can corrupt memory and lead to arbitrary code execution or crash the process.
Ip Cameras
CVE-2018-6413 Apr 18, 2018
There is a buffer overflow in the Hikvision Camera DS-2CD9111-S of V4.1.2 build 160203 and before, and this vulnerability There is a buffer overflow in the Hikvision Camera DS-2CD9111-S of V4.1.2 build 160203 and before, and this vulnerability allows remote attackers to launch a denial of service attack (service interruption) via a crafted network setting interface request.
CVE-2017-14953 Dec 01, 2017
HikVision Wi-Fi IP cameras, when used in a wired configuration HikVision Wi-Fi IP cameras, when used in a wired configuration, allow physically proximate attackers to trigger association with an arbitrary access point by leveraging a default SSID with no WiFi encryption or authentication. NOTE: Vendor states that this is not a vulnerability, but more an increase to the attack surface of the product
Ds 2cd2432f Iw Firmware
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.