Hikvision Switches: Authenticated RCE in Discontinued Products
The National Vulnerability Database (NVD) has detailed CVE-2026-3828, a high-severity authenticated remote command execution (RCE) vulnerability affecting some Hikvision switch products. The flaw, rated 7.2 CVSS, stems from insufficient input validation, allowing attackers with valid credentials to execute arbitrary commands by sending specially crafted packets.
While Hikvision discontinued these specific switch models in December 2023, the vulnerability remains a critical concern for organizations still operating legacy hardware. An attacker gaining valid credentials—a common outcome of phishing or brute-force attacks—could leverage this RCE to gain full control over the affected network switches, potentially leading to network disruption, data interception, or further lateral movement within the environment.
Defenders cannot simply ignore this because the products are EOL. The attacker’s calculus here is simple: target the unpatched, forgotten, or end-of-life devices. These often remain operational, unmonitored, and unpatched, presenting a low-risk, high-reward entry point for adversaries. Assume these devices are prime targets.
What This Means For You
- If your organization still uses *any* Hikvision switch products, you need to immediately audit your inventory for models discontinued before December 2023. Prioritize replacing or isolating these devices. If replacement isn't feasible, ensure they are segmented, have strong access controls, and are not exposed to untrusted networks. Review logs for any suspicious activity on these devices, particularly failed login attempts or unusual command executions.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-3828 - Hikvision Switch Authenticated RCE via Command Injection
title: CVE-2026-3828 - Hikvision Switch Authenticated RCE via Command Injection
id: scw-2026-05-09-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-3828 by identifying requests to Hikvision CGI endpoints that include a 'cmd=' parameter, indicative of command injection attempts.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-3828/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/hikvision/cgi-bin/'
cs-uri-query|contains:
- 'cmd='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3828 | RCE | Hikvision switch products (discontinued since December 2023) |
| CVE-2026-3828 | RCE | Insufficient input validation |
| CVE-2026-3828 | RCE | Authenticated remote command execution |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature
CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit...
CVE-2026-1749 — Some HikCentral Professional Versions. This Vulnerability
CVE-2026-1749 — There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
CVE-2026-42560: Critical Patreon OAuth Flaw Merges User Identities
CVE-2026-42560 — auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider...