80,000 internet-connected cameras still vulnerable after critical patch offered

Tens of thousands of internet-facing IP cameras made by China-based Hikvision remain unpatched and exploitable despite a fix being issued for a critical security bug nearly a year ago. Researchers at Cyfirma recently published a report [PDF] claiming they found more than 80,000 cameras in more than 100 countries online, with ports open and no protection against CVE-2021-36260, a command-injection vulnerability exploitable by anyone with HTTP access to TCP ports 80 or 443 of an affected camera. Awarded a CVSS score of 9.8 of 10 in severity, the Hikvision bug was considered serious enough for the US Cybersecurity and Infrastructure Security Agency to add it to its list of "Must patch" security flaws early this year, adding that the vulnerability is already being exploited. Being as simple as it is to execute, its past known use, and continued discussion of its merits, it's safe to assume that unpatched Hikvision cameras are already compromised. Patches for affected Hikvision devices, of which there are more than 70 models, are available on the maker's website, where Hikvision urges its distributors to "Work with your customers to ensure proper cyber hygiene and install the updated firmware." "Open vulnerabilities and ports in such devices will only compound the impact on targeted organizations and their countries economic and state prowess. It is paramount to patch the vulnerable software of the Hikvision camera products to the latest version," Cyfirma said. America has also considered a wider ban on Hikvision through restrictions on US investment in the company as well as freezing its assets held in the US. Similar discussions are being had in the UK, where several lawmakers backed a campaign in July to ban the sale or use of Hikvision or Dahua cameras for the same human rights-based reasons as the US. .