Security News > 2022 > August > 80,000 internet-connected cameras still vulnerable after critical patch offered
Tens of thousands of internet-facing IP cameras made by China-based Hikvision remain unpatched and exploitable despite a fix being issued for a critical security bug nearly a year ago.
Awarded a CVSS score of 9.8 of 10 in severity, the Hikvision bug was considered serious enough for the US Cybersecurity and Infrastructure Security Agency to add it to its list of "Must patch" security flaws early this year, adding that the vulnerability is already being exploited.
Being as simple as it is to execute, its past known use, and continued discussion of its merits, it's safe to assume that unpatched Hikvision cameras are already compromised.
Patches for affected Hikvision devices, of which there are more than 70 models, are available on the maker's website, where Hikvision urges its distributors to "Work with your customers to ensure proper cyber hygiene and install the updated firmware."
"Open vulnerabilities and ports in such devices will only compound the impact on targeted organizations and their countries economic and state prowess. It is paramount to patch the vulnerable software of the Hikvision camera products to the latest version," Cyfirma said.
America has also considered a wider ban on Hikvision through restrictions on US investment in the company as well as freezing its assets held in the US. Similar discussions are being had in the UK, where several lawmakers backed a campaign in July to ban the sale or use of Hikvision or Dahua cameras for the same human rights-based reasons as the US. .
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/24/hikvision_camera_patch/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)