Security researchers have observed renewed exploit campaigns targeting an eight-year-old backdoor in Hikvision cameras to harvest configuration files, user lists, and snapshots.
Attackers automate scans across IP ranges, appending a base64-encoded “auth” parameter to management URLs.
When decoded, the string commonly reveals “admin:11,” enabling unauthorized access. Organizations relying on older camera firmware are at heightened risk of data leakage.
Vulnerability Overview
First assigned CVE-2017-7921, the flaw stems from a hidden endpoint in Hikvision IP cameras that accepts credentials via a URL parameter, as reported by ISC Sans.
| CVE ID | CVSS v3.1 Base Score | Severity | Affected Products |
| CVE-2017-7921 | 9.8 | Critical | Multiple Hikvision IP camera and DVR models |
Instead of entering login details through the web interface, attackers issue GET requests such as:
GET /System/deviceInfo?auth=YWRtaW46MTEKHere, “YWRtaW46MTEK” decodes to “admin:11.” Despite Hikvision’s sparse advisory in 2017, many administrators never discovered the exposed URLs.
Cameras and DVRs with only numeric on-screen keypads often still use trivial PINs, making brute-force attacks trivial.
On September 23, 2025, honeypot logs recorded thousands of exploit attempts across multiple endpoints.
Attack scripts save any returned data configuration files, user credentials, Wi-Fi keys for lateral network intrusion or resale.
Below is a summary of the most targeted URLs and report counts since initial discovery:
| Endpoint URL | First Report | Most Recent Report | Total Exploit Attempts |
| /System/configurationFile?auth=YWRtaW46MTEK | 2018-08-18 | 2025-09-23 | 6 720 |
| /Security/users?auth=YWRtaW46MTEK | 2017-12-14 | 2025-09-23 | 2 293 |
| /system/deviceInfo?auth=YWRtaW46MTEK | 2021-03-09 | 2025-09-23 | 2 002 |
| /onvif-http/snapshot?auth=YWRtaW46MTEK | 2018-09-09 | 2025-09-23 | 445 |
| /security/users/1?auth=YWRtaW46MTEK | 2020-09-25 | 2023-02-04 | 727 |
| /Streaming/channels/1/picture/?auth=YWRtaW46MTEKYOBA | 2017-10-06 | 2017-10-06 | 6 |
| /ISAPI/Security/users?auth=YWRtaW46MTEK | 2025-04-09 | 2025-04-29 | 2 |
Mitigation Strategies
- Firmware Updates: Apply the latest patches from Hikvision to remove hard-coded backdoors and enforce robust password rules.
- Network Segmentation: Isolate cameras on VLANs and restrict access with firewall rules.
- Strong Credentials: Replace default PINs with complex, alphanumeric passwords and disable URL-based logins.
- Log Monitoring: Watch for unexpected 200 OK responses to management URLs. Any “auth=” parameter in access logs warrants immediate investigation.
- Remote Access Controls: Disable or limit remote administration, and prefer HTTPS with digest or token-based authentication.
By promptly updating devices and tightening network controls, organizations can block attackers from exploiting CVE-2017-7921 and safeguard sensitive camera configurations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
