Yesterday CISA announced that it had added an improper authentication vulnerability in multiple Hikvision IP cameras to the CISA Known Exploited Vulnerabilities (KEV) catalog. Hikvision reported the vulnerability in March 2017. ICS-CERT published an advisory for the vulnerability in May 2017. In January 2025 FortiNet published a report of attempts to exploit the vulnerability. In September 2025 the SANS Internet Storm Center published a report about attempts to exploit the vulnerability.
CISA ordered federal agencies using the affected equipment to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of March 26th, 2026 has been applied.
Interestingly §889 of the 2019 National Defense
Authorization Act (PL
115-232, 132 STAT. 1917) prohibited federal agencies from using ‘covered
telecommunications equipment’ from Hikvision. So, this CISA directive may have
very limited application within the federal government.
Posts
No comments:
Post a Comment