CVE-2022-28171

HIGH

Hikvision Ds-a71024 Firmware < 2.3.8-6 - Command Injection

Title source: rule

Description

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.

Exploits (3)

exploitdb WORKING POC

by Thurein Soe · pythonremotehardware

https://www.exploit-db.com/exploits/51607

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by NyaMeeEain · poc

https://github.com/NyaMeeEain/CVE-2022-28171-POC

View Code ZIP pw:eip

nomisec SCANNER 2 stars

by aengussong · poc

https://github.com/aengussong/hikvision_probe

View Code ZIP pw:eip

References (3)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/173653/Hikvision-Hybrid-SAN-Ds-a71024-SQL-Injection.html

[Vendor Advisory] https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/

Scores

CVSS v3 7.5

EPSS 0.8410

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-78 CWE-77

Status published

Products (11)

hikvision/ds-a71024_firmware < 2.3.8-6

hikvision/ds-a71048_firmware < 2.3.8-6

hikvision/ds-a71048r-cvs_firmware < 1.1.4

hikvision/ds-a71072r_firmware < 2.3.8-6

hikvision/ds-a72024_firmware < 2.3.8-6

hikvision/ds-a72048r-cvs_firmware < 1.1.4

hikvision/ds-a72072r_firmware < 2.3.8-6

hikvision/ds-a80316s_firmware < 2.3.8-6

hikvision/ds-a80624s_firmware < 2.3.8-6

hikvision/ds-a81016s_firmware < 2.3.8-6

... and 1 more

Published Jun 27, 2022

Tracked Since Feb 18, 2026