Vulnerability Details : CVE-2022-28171
Potential exploit
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
Published
2022-06-27 18:15:09
Updated
2023-08-02 17:21:07
Products affected by CVE-2022-28171
- cpe:2.3:o:hikvision:ds-a71024_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a71024_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a71048_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a71072r_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a80624s_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a81016s_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a72024_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a72024_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a72072r_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a80316s_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a82024d_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a71048r-cvs_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:hikvision:ds-a72048r-cvs_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-28171
86.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-28171
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
Hangzhou Hikvision Digital Technology Co., Ltd. | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-28171
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: hsrc@hikvision.com (Secondary)
References for CVE-2022-28171
-
http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html
Hikvision Remote Code Execution / XSS / SQL Injection ≈ Packet StormThird Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/173653/Hikvision-Hybrid-SAN-Ds-a71024-SQL-Injection.html
Hikvision Hybrid SAN Ds-a71024 SQL Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/
Security Vulnerability in Some Hikvision Hybrid SAN Products - Security Advisory - HikvisionVendor Advisory
Jump to