How do attackers exploit CVE-2017-7921 in Hikvision cameras?

Attackers exploit the cameras by sending specially crafted HTTP requests to vulnerable camera endpoints, such as requests to URLs like '/System/deviceInfo?auth=YWRtaW46MTEK' where the base64 encoded string decodes to 'admin:11'. This indicates threat actors are using the authentication bypass vulnerability combined with brute-force attempts against devices with weak, easily guessable passwords.

Which Hikvision camera models are affected by CVE-2017-7921?

Affected devices include DS-2CD2xx2F-I Series, DS-2CD2xx0F-I Series, DS-2CD2xx2FWD Series, DS-2CD4x2xFWD Series, DS-2CD4xx5 Series, DS-2DFx Series, and DS-2CD63xx Series, spanning various firmware versions from V5.0.9 build 140305 through V5.4.9 Build 170302, depending on the specific model series.

How widespread is the CVE-2017-7921 vulnerability exposure?

Hundreds of thousands of vulnerable devices remain exposed to the Internet. The vulnerability's impact is amplified by widespread rebranding practices, where multiple manufacturers sell Hikvision-manufactured cameras under different brand names, making it difficult for users to identify if their devices are affected.

Attack

Critical 8 years old Hikvision Camera flaw actively exploited again

Q: What is CVE-2017-7921 and how severe is this Hikvision vulnerability?

CVE-2017-7921 is a critical vulnerability in Hikvision security cameras with a CVSS score of 10, the highest possible severity rating. SANS researchers have observed a recent surge in malicious activity targeting this authentication bypass vulnerability that allows attackers to gain unauthorized access to camera systems.

Q: What can attackers do once they compromise Hikvision cameras through CVE-2017-7921?

Successful attackers can download configuration files containing user credentials, modify system settings, change administrative passwords to lock out legitimate users, and potentially use the compromised camera as a pivot point for lateral movement within internal networks. The configuration files use weak encryption with a static key, making it possible to decrypt them and harvest credentials.

Q: Why is it difficult to identify cameras affected by CVE-2017-7921?

The identification challenge stems from widespread rebranding practices in the security camera industry. Many manufacturers rebrand and sell Hikvision cameras under their own names, making it difficult for users to recognize that their devices are actually Hikvision-manufactured and potentially vulnerable to this critical security flaw.

published: Sept. 25, 2025

Take action: If you have Hikvision security cameras (or rebranded versions), immediately update to the latest firmware and change all default passwords to strong, unique ones. Make sure to isolate your cameras from the internet and restrict management access to trusted networks only.

Learn More

SANS researchers have observed a recent surge in malicious activity targeting CVE-2017-7921 (CVSS score 10), a critical vulnerability in Hikvision security cameras.

Attackers exploit the cameras by sending specially crafted HTTP requests to vulnerable camera endpoints. Recent attack attempts have been characterized by web requests to specific URLs such as "/System/deviceInfo?auth=YWRtaW46MTEK" where the base64 encoded string "YWRtaW46MTEK" decodes to "admin:11".

This attack pattern indicates that threat actors are using the authentication bypass vulnerability in combination with brute-force attempts against devices configured with weak, easily guessable passwords.

Attackers who successfully compromise these devices can download configuration files containing user credentials, modify system settings, change administrative passwords to lock out legitimate users, and potentially use the compromised camera as a pivot point for lateral movement within internal networks. The downloaded configuration files, are encrypted but use weak encryption with a static key, making it possible for attackers to decrypt them and harvest user credentials

Affected devices are:

DS-2CD2xx2F-I Series (V5.2.0 build 140721 through V5.4.5 Build 170123)
DS-2CD2xx0F-I Series (V5.2.0 build 140721 through V5.4.5 Build 170123)
DS-2CD2xx2FWD Series (V5.3.1 build 150410 through V5.4.5 Build 170123)
DS-2CD4x2xFWD Series (V5.2.0 build 140721 through V5.4.5 Build 170222)
DS-2CD4xx5 Series (V5.2.0 build 140721 through V5.4.5 Build 170302)
DS-2DFx Series (V5.2.0 build 140805 through V5.4.9 Build 170123)
DS-2CD63xx Series (V5.0.9 build 140305 through V5.4.5 Build 170206)

Hundreds of thousands of vulnerable devices remain exposed to the Internet

The vulnerability's impact is amplified by the widespread practice of rebranding, where multiple manufacturers sell Hikvision-manufactured cameras under different brand names. Many other manufacturers rebrand and sell Hikvision cameras under their own names, making it difficult for users to identify if their devices are affected.

Organizations utilizing Hikvision cameras or potentially affected rebranded devices should immediately apply the latest firmware updates from Hikvision, use strong, unique passwords for all camera accounts and isolate network access of the camera management interfaces to trusted networks only.

Critical 8 years old Hikvision Camera flaw actively exploited again

Read More
PTC Warns of Imminent RCE Threat in Windchill …
OpenMetadata platform flaws exploited to mine cryptocurrency
Sophos Web Appliance flaw activelly exploited by hacker …
WordPress malware campaign disguised as legitimate Security Plugin
Hackers are attacking a critical RCE flaw in …