CVE-2023-6895

MEDIUM EXPLOITED NUCLEI

Hikvision Intercom Broadcast System 3.0.3-4.1.0 - OS Command Injection via jsondata[ip] Parameter

Title source: llm

Exploitation Summary

CVE-2023-6895 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including FuBoLuSec, nles-crt. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2023-6895, targeting a command injection vulnerability in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE. The exploit sends a crafted POST request to '/php/ping.php' with a malicious payload in the 'jsondata' parameter to achieve remote code execution.

Description

A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.

Exploits (2)

nomisec WORKING POC 5 stars

by FuBoLuSec · remote

https://github.com/FuBoLuSec/CVE-2023-6895

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2023-6895, targeting a command injection vulnerability in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE. The exploit sends a crafted POST request to '/php/ping.php' with a malicious payload in the 'jsondata' parameter to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE

No auth needed

Prerequisites: Network access to the target system · Target system running vulnerable Hikvision Intercom Broadcasting System

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER

by nles-crt · remote

https://github.com/nles-crt/CVE-2023-6895

View Code ZIP pw:eip

This repository contains a Python script that scans for CVE-2023-6895 by sending a crafted POST request to '/php/ping.php' and checking if the response contains the injected string 'test'. It does not demonstrate full exploitation but confirms vulnerability presence.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a PHP-based application with a vulnerable ping.php endpoint)

No auth needed

Prerequisites: Network access to the target · Vulnerable endpoint '/php/ping.php'

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Hikvision IP ping.php - Command Execution

CRITICALVERIFIEDby DhiyaneshDk,archer

Shodan: http.favicon.hash:"-1830859634"

FOFA: icon_hash="-1830859634"

References (3)

Core 3

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.248254

Permissions Required, Third Party Advisory signature permissions-required

https://vuldb.com/?ctiid.248254

Exploit, Third Party Advisory exploit

https://github.com/willchen0011/cve/blob/main/rce.md

Scores

CVSS v3 6.3

EPSS 0.8914

EPSS Percentile 99.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2026-02-23

CWE

CWE-78

Status published

Products (1)

hikvision/intercom_broadcast_system 3.0.3 - 4.1.0

Published Dec 17, 2023

Tracked Since Feb 18, 2026