CVE-2021-36260: Hikvision IP Camera Unauthenticated Command Injection

Exploitation Summary

CVE-2021-36260 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022. EIP tracks 16 public exploits from researchers including bashis, tamim1089, Aiminsun, including a Metasploit module exploits/linux/http/hikvision_cve_2021_36260_blind. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python script exploits CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. It allows unauthenticated remote code execution via the `/SDK/webLanguage` endpoint by injecting commands into the `<language>` XML tag.

Description

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

Exploits (16)

exploitdb WORKING POC

by bashis · pythonwebappshardware

https://www.exploit-db.com/exploits/50441

View Code ZIP pw:eip

This Python script exploits CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. It allows unauthenticated remote code execution via the `/SDK/webLanguage` endpoint by injecting commands into the `<language>` XML tag.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision Web Server Build 210702

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable Hikvision Web Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 330 stars

by tamim1089 · poc

https://github.com/tamim1089/HikvisionExploiter

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-36260, targeting Hikvision IP cameras with firmware version 3.1.3.150324. It includes tools for snapshot access verification, config file decryption, credential extraction, and remote command execution via a PUT-to-file RCE vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision IP cameras (firmware 3.1.3.150324)

No auth needed

Prerequisites: Target IP and port list · Python 3.6+ · pycrypto library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 291 stars

by Aiminsun · remote

https://github.com/Aiminsun/CVE-2021-36260

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit leverages command injection in the `<language>` tag of the `/SDK/webLanguage` endpoint to achieve unauthenticated remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision Web Server Build 210702

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable version of Hikvision Web Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 164 stars

by Cuerz · remote

https://github.com/Cuerz/CVE-2021-36260

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-36260, a remote code execution (RCE) vulnerability in Hikvision devices. The exploit leverages command injection via the `/SDK/webLanguage` endpoint to execute arbitrary commands and write output to a file, which is then retrieved by the attacker.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Hikvision devices (specific versions not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable version of Hikvision firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 19 stars

by TaroballzChen · remote

https://github.com/TaroballzChen/CVE-2021-36260-metasploit

View Code ZIP pw:eip

This repository contains a functional Metasploit module for CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit leverages a command injection flaw in the `/SDK/webLanguage` endpoint by embedding malicious commands within the `<language>` XML tag.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision Web Server Build 210702

No auth needed

Prerequisites: Network access to the target Hikvision device · Target device must be running a vulnerable version of the Hikvision Web Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 16 stars

by rabbitsafe · remote

https://github.com/rabbitsafe/CVE-2021-36260

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-36260, a command injection vulnerability in Hikvision devices. The exploit leverages the `/SDK/webLanguage` endpoint to inject commands via the `<language>` XML tag, allowing for remote code execution (RCE) and shell access.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision devices (specific versions not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable version of Hikvision firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 7 stars

by tuntin9x · remote

https://github.com/tuntin9x/CheckHKRCE

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2021-36260, an unauthenticated remote command execution vulnerability in Hikvision IP cameras. The exploit leverages command injection in the `<language>` tag of an XML payload sent to the `/SDK/webLanguage` endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision IP Camera (multiple versions)

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable version of Hikvision firmware

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by yanxinwu946 · remote

https://github.com/yanxinwu946/hikvision-unauthenticated-rce-cve-2021-36260

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-36260, an unauthenticated RCE vulnerability in Hikvision devices. The exploit leverages command injection via the `/SDK/webLanguage` endpoint to execute arbitrary commands and retrieve output.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Hikvision devices (specific versions not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be vulnerable to CVE-2021-36260

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SCANNER 2 stars

by aengussong · remote

https://github.com/aengussong/hikvision_probe

View Code ZIP pw:eip

This repository contains a scanner for multiple Hikvision vulnerabilities, including CVE-2022-28171, which is a blind SQL injection vulnerability. The scanner checks for the presence of vulnerabilities by sending crafted requests and analyzing responses.

Classification

Scanner 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Hikvision devices

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by NanoTrash · remote

https://github.com/NanoTrash/hikvision_brute

View Code ZIP pw:eip

This repository contains a functional Go-based brute-forcing tool that exploits CVE-2021-36260, a command injection vulnerability in Hikvision cameras. The exploit sends crafted XML payloads to the `/SDK/webLanguage` endpoint to achieve remote code execution (RCE) and verifies success by checking for a created file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision cameras (affected versions not specified)

No auth needed

Prerequisites: Network access to the target Hikvision camera · Vulnerable `/SDK/webLanguage` endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by haingn · remote

https://github.com/haingn/HIK-CVE-2021-36260-Exploit

View Code ZIP pw:eip

This repository contains a functional Go-based exploit for CVE-2021-36260, targeting Hikvision cameras. The exploit leverages command injection via the `/SDK/webLanguage` endpoint to achieve remote code execution (RCE) and includes brute-forcing capabilities for multiple targets.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision cameras (affected versions)

No auth needed

Prerequisites: Network access to the target Hikvision camera · Vulnerable `/SDK/webLanguage` endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by code-msga · remote

https://github.com/code-msga/HikvisionExploiter_fixed

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-36260, a command injection vulnerability in Hikvision devices. The exploit includes a scanner to detect vulnerable targets and a shell script to achieve remote code execution (RCE) via crafted XML payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision devices (affected versions not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be vulnerable to CVE-2021-36260

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 02, 2026 Full analysis →

nomisec WORKING POC

by saaydmr · poc

https://github.com/saaydmr/hikvision-exploiter

View Code ZIP pw:eip

This PoC exploits CVE-2017-7921, an information disclosure vulnerability in Hikvision devices, by extracting encrypted configuration files and decrypting credentials. It also captures snapshots from vulnerable devices.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Hikvision devices (specific version not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be vulnerable to CVE-2017-7921

MITRE ATT&CK

T1592 - Gather Victim Host Information T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by shubtheone · remote

https://github.com/shubtheone/CVE-2021-36260-hikvision

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit leverages command injection in the `<language>` tag of the `/SDK/webLanguage` endpoint to achieve unauthenticated remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision Web Server Build 210702

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable Hikvision Web Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/idssgmcc/CVE-2021-36260

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2021-36260, a command injection vulnerability in Hikvision devices. The PoC sends a crafted XML payload to the `/SDK/webLanguage` endpoint, executing arbitrary commands (e.g., `ifconfig -a > webLib/dd.asp`).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Hikvision devices (specific version not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be vulnerable to CVE-2021-36260

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Watchful_IP, bashis, jbaines-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability (CVE-2021-36260) in Hikvision IP cameras via the `/SDK/webLanguage` endpoint. It supports both direct command execution and staged payload delivery, targeting the blind variant of the attack.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hikvision IP cameras (e.g., HWI-B120-D/W with firmware V5.5.101 build 200408)

No auth needed

Prerequisites: Network access to the target device · Vulnerable Hikvision IP camera with exposed `/SDK/webLanguage` endpoint

MITRE ATT&CK