CVE CyberSecurity Database News

CVE-2022-28171 - How Hackers Could Run Commands on Hikvision Hybrid SAN/Cluster Storage Devices

Poster -

In recent years, security vulnerabilities in IoT and smart devices have drawn considerable attention. This post takes a deep dive into CVE-2022-28171, a significant flaw in several Hikvision Hybrid SAN/Cluster Storage units. We'll explain how the vulnerability works, show you sample exploit code, discuss the affected products, and offer practical mitigation advice—all in simple, straightforward language.

What Is CVE-2022-28171?

*Reported on March 21, 2022*, CVE-2022-28171 is a remote command injection flaw in the web management module of specific Hikvision storage products. Due to insufficient input validation in its handling of HTTP messages, an attacker can send requests with specially crafted payloads, allowing them to execute unauthorized commands as if they were an admin.

Simply put: If your device is vulnerable, a hacker could gain control just through the network—no password needed.

Affected Devices

Here's a non-exhaustive list of products known to be vulnerable (for the complete list, see the original Hikvision Security Advisory):

- Hikvision Hybrid SAN/Cluster Storage (models before firmware v3..-280826)

How Does the Exploit Work?

When you manage a Hikvision storage device using its web interface, your browser is sending HTTP requests to the device's backend over the network. Because the backend doesn't properly check the contents of some user-included fields, attackers can sneak malicious commands as part of their request. These commands are then executed on the underlying operating system—usually with high privileges.

In technical terms: This is a classic case of "command injection" due to missing or wrong input validation.

Here's a simplified Python snippet that mimics how a hacker might exploit this

import requests

TARGET_URL = 'http://192.168.1.100:808/some_vulnerable_endpoint';

# Exploit payload: injects a system command
payload = {
    'param': 'test; uname -a'  # Original param + injected command
}

response = requests.post(TARGET_URL, data=payload)
print('Response content:')
print(response.text)


What this does:

If vulnerable, the device will run uname -a (shows OS info) and possibly return the result.

Note: The actual parameter and endpoint may vary. Some public PoCs (proof-of-concept) use endpoints like /action/login or /action/deviceConfig with injectable fields.

Make the device part of a botnet for wider attacks

Such risks are especially severe if the device is exposed to the internet or an untrusted LAN.

References & More Reading

- NVD entry for CVE-2022-28171
- Hikvision official advisory
- exploit-db PoC 50978
- GitHub example PoC

1. Update Firmware

The most important fix:  
- Upgrade to the latest firmware from the official Hikvision download page.

Conclusion

CVE-2022-28171 shows how a single overlooked input validation bug can put entire networks at risk. If you manage Hikvision Hybrid SAN/Cluster Storage units, patch now and lock down external access. Hackers are always looking for these types of IoT holes—don't give them an easy way in.

Timeline

Published on: 06/27/2022 18:15:00 UTC
Last modified on: 07/07/2022 16:36:00 UTC