## https://sploitus.com/exploit?id=D2F65666-E792-56C6-ACC6-765C19568BB7
# CVE-2017-7921 โ Hikvision IP Camera / DVR / NVR
**Improper Authentication โ Privilege Escalation via Crafted Query Parameter**
| | |
|---|---|
| **CVE ID** | CVE-2017-7921 |
| **Vulnerability Class** | CWE-287: Improper Authentication |
| **CVSS v3.0 Base Score** | **10.0 (Critical)** โ AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| **CVSS v2.0 Score** | 7.5 (High) โ AV:N/AC:L/Au:N/C:P/I:P/A:P |
| **Disclosure Date** | 2017 (ICS-CERT Advisory ICSA-17-124-01) |
| **Vendor** | Hikvision Digital Technology Co., Ltd. |
| **Status** | Patched โ Hikvision released corrected firmware; unpatched and "grey-market" devices remain exposed |
| **PoC / Exploit Author** | Jared Brits ([K3ysTr0K3R](https://github.com/K3ysTr0K3R)) |
| **Write-up Author** | MK-ULTRA ([github.com/MK-ULTRA-project-monarch](https://github.com/MK-ULTRA-project-monarch)) |
---
## 1. Executive Summary
CVE-2017-7921 is a critical improper-authentication vulnerability affecting the web server component of firmware on a wide range of Hikvision network cameras, DVRs, and NVRs. The flaw allows a remote, unauthenticated attacker to bypass the device's login mechanism entirely by appending a specially crafted, statically defined query parameter to specific HTTP request paths. Because the authentication check trusts this parameter rather than validating a session or credential set, any request carrying it is treated as though it originated from a privileged internal process.
Successful exploitation grants full administrative access to the device web interface, including live and recorded video streams, device configuration, user account data, and โ on many firmware branches โ the ability to download the full device configuration file, which itself contains weakly encrypted stored credentials. The vulnerability requires no user interaction, no prior authentication, and no non-standard network position, which combined with the scale of Hikvision's install base has made it a persistent target for botnet recruitment (e.g., Reaper/IoTroop-family activity) and surveillance-feed harvesting since disclosure.
## 2. Affected Products
The vulnerability was confirmed across multiple Hikvision product families running firmware branches predating the 2017 security patch. Representative affected lines include:
- DS-2CD2xx2F-I series โ firmware V5.2.0 (build 140721) through V5.4.0 (build 160530)
- DS-2CD2xx0F-I series โ firmware V5.2.0 (build 140721) through V5.4.0 (build 160401)
- DS-2CD2xx2FWD series โ firmware V5.3.1 (build 150410) through V5.4.4 (build 161125)
- DS-2CD4x2xFWD series โ firmware V5.2.0 (build 140721) through V5.4.0 (build 160414)
- DS-2CD4xx5 series โ firmware V5.2.0 (build 140721) through V5.4.0 (build 160421)
- DS-2DFx PTZ series โ firmware V5.2.0 (build 140805) through V5.4.5 (build 160928)
- DS-2CD63xx series and select NVR/DVR product lines sharing the same web-server codebase
> Hikvision also flagged an ongoing complication specific to this CVE: a large population of "grey-market" devices sold outside authorized distribution channels run modified, non-Hikvision firmware. Standard firmware updates do not reliably remediate these units, and in some cases revert the interface rather than patch it.
## 3. Technical Analysis
### 3.1 Root Cause
Standard Hikvision device authentication is built on HTTP Basic/Digest auth guarding the web management interface. In vulnerable firmware, however, a subset of internal request-handling endpoints contain a secondary, undocumented authentication path intended for internal/debug use. This path does not perform a credential lookup โ it inspects the request for the presence of a fixed, hardcoded token and, if found, treats the request as pre-authenticated, bypassing the normal role-based access control (RBAC) checks entirely.
The token is a Base64-encoded representation of a static default credential pair embedded in the firmware itself. Because it is a constant rather than a derived session value, it is identical across every vulnerable device regardless of the administrator password actually configured on that unit โ changing the admin password does not mitigate the vulnerability.
### 3.2 Exploitation Path
At a high level, exploitation follows this sequence:
1. The attacker identifies a reachable Hikvision device (commonly via Shodan/Censys fingerprinting of the exposed web management port).
2. A crafted HTTP GET request is sent to a known vulnerable endpoint with the static authentication token appended as a query parameter, rather than presenting a username/password.
3. The vulnerable firmware's request handler validates the token instead of a session or credential, and services the request with administrative privilege.
4. The attacker can now enumerate and modify device configuration, view live/recorded streams, and โ on affected builds โ retrieve the full configuration export, which stores additional account credentials under weak, static-key encryption that can be reversed offline.
> No memory corruption, buffer overflow, or client-side interaction is involved; the entire attack is a single crafted, stateless HTTP request, which is what makes it trivially scriptable and scanner-friendly.
### 3.3 Why It Persists
Three factors account for the CVE's unusually long tail of real-world exposure:
- Devices are frequently deployed once and never re-visited for firmware updates, especially in residential and small-business installs.
- Grey-market units running unauthorized firmware often cannot be patched through official channels at all.
- The vulnerability is index-friendly โ because exploitation is a single unauthenticated HTTP request, mass scanning tools can enumerate vulnerable hosts across the entire IPv4 space cheaply, which is precisely how it has been leveraged for IoT botnet recruitment.
## 4. Impact
| Metric | Impact |
|---|---|
| **Confidentiality** | Complete โ live/recorded video, device configuration, and stored (weakly encrypted) credentials are exposed. |
| **Integrity** | Complete โ attacker can modify device configuration, user accounts, and stream settings. |
| **Availability** | Complete โ attacker can disable recording, reboot, or otherwise disrupt device operation. |
| **Scope** | Changed (CVSS v3) โ compromise of the device frequently enables pivoting into the broader network or recruitment into distributed botnets. |
## 5. Detection & Indicators
- Unauthenticated HTTP GET requests to device management endpoints containing an appended, non-user query parameter resembling a Base64-encoded credential string.
- Configuration export requests (e.g., device config/backup file retrieval) originating from sessions that never completed standard Basic/Digest authentication.
- Unexpected outbound connections from camera/NVR devices consistent with botnet check-in traffic (a common secondary indicator once a device has been mass-exploited).
- Vendor and third-party detection content: Check Point IPS signature CPAI-2017-0876, Tenable.ot plugin `tenable_ot_hikvision_CVE-2017-7921.nasl`, and CISA/ICS-CERT advisory ICSA-17-124-01.
## 6. Remediation
- Update to the Hikvision firmware version that remediates this advisory for the specific product/model โ verify against Hikvision's official firmware portal, not third-party mirrors.
- Never expose the device web management interface directly to the internet; place cameras/NVRs behind a VPN (e.g., WireGuard) or on an isolated VLAN with no inbound WAN port forwarding.
- Disable UPnP on the router/device so the camera cannot silently re-open the port it was just closed on.
- Rotate all device credentials after patching, since a previously exploited unit may have had its configuration file exfiltrated and decrypted offline.
- For grey-market or unauthorized-firmware units that cannot be patched through official channels, isolate or decommission the device rather than relying on firmware updates.
- Monitor for the detection indicators in Section 5 as a compensating control on networks where immediate patching isn't feasible.
## 7. Proof of Concept
A working PoC for CVE-2017-7921 was authored by Jared Brits (K3ysTr0K3R) and is maintained at [github.com/K3ysTr0K3R/CVE-2017-7921-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2017-7921-EXPLOIT). Consistent with responsible-disclosure practice, this write-up does not embed exploit source, live target output, or captured credentials/footage.
*[ Reserved for PoC screenshots against a device you own or are explicitly authorized to test โ e.g., an isolated homelab VM/camera with no proxychains, no third-party targets, and no live footage from a real deployment. ]*
## 8. References
- CISA / ICS-CERT Advisory ICSA-17-124-01 โ Hikvision IP Camera Improper Authentication.
- NVD โ [CVE-2017-7921 Detail](https://nvd.nist.gov/vuln/detail/CVE-2017-7921), nvd.nist.gov.
- Check Point Research Advisory CPAI-2017-0876 โ Hikvision IP Cameras Authentication Bypass.
- Tenable.ot Plugin โ `tenable_ot_hikvision_CVE-2017-7921.nasl`.
- Jared Brits (K3ysTr0K3R), CVE-2017-7921-EXPLOIT โ proof-of-concept and responsible-disclosure notes, GitHub.
## 9. Credits
- **Exploit / PoC:** Jared Brits (K3ysTr0K3R) โ [github.com/K3ysTr0K3R/CVE-2017-7921-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2017-7921-EXPLOIT)
- **Write-up:** MK-ULTRA โ [github.com/MK-ULTRA-project-monarch](https://github.com/MK-ULTRA-project-monarch)
- **IG:** [@projectmonarch_mk_ultra](https://instagram.com/projectmonarch_mk_ultra)
---
*Prepared for collaborative research documentation. This write-up covers vulnerability mechanics, impact, detection, and remediation for defensive and educational reference; it does not include ready-to-run exploit code or evidence from unauthorized targets.*