Introduction
Attackers have been able to remotely execute arbitrary commands on enterprise surveillance management systems without authentication, impacting the integrity and availability of physical security infrastructure. Hikvision's iSecure Center, a widely deployed centralized security management platform, is affected by a critical command injection flaw that has seen active exploitation in the wild in both 2024 and 2025.
About Hikvision and iSecure Center: Hikvision is a global leader in video surveillance and physical security technology, with a product portfolio spanning IP cameras, NVRs, and integrated management platforms. The iSecure Center platform is designed for large-scale enterprise deployments, providing unified control and monitoring of security devices across diverse environments. Its widespread use in critical sectors increases the potential impact of vulnerabilities.
Technical Information
CVE-2024-58274 is a command injection vulnerability in the Hikvision Comprehensive Security Management Platform (CSMP) iSecure Center, affecting all versions up to and including 2024-08-01. The vulnerability is present in the /center/api/installation/detection endpoint, which processes JSON data as part of installation detection operations.
The root cause is improper input validation and sanitization of user-supplied JSON data. Specifically, the platform fails to neutralize shell metacharacters, allowing attackers to inject commands using the shell command substitution syntax $( ). When such a payload is received, the application incorporates the attacker-controlled value into a system-level command, which is then executed by the underlying operating system with the privileges of the application service account.
This flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability does not require authentication, significantly increasing the risk and attack surface. Exploitation can result in full system compromise, including arbitrary file writes, web shell deployment, and lateral movement within the network.
Proof of Concept
The Proof-of-Concept (PoC) for the vulnerability in Hikvision's Comprehensive Security Management Platform (CSMP) iSecure Center, as detailed in the Nuclei template, focuses on the /center/api/installation/detection endpoint. This endpoint is susceptible to command injection due to improper handling of JSON data, specifically within the $( ) syntax.
An attacker can exploit this vulnerability by sending a crafted JSON payload to the vulnerable endpoint. Within this payload, commands enclosed in $( ) are executed by the system. For instance, an attacker might send a JSON object where a parameter's value includes $(id), prompting the system to execute the id command, which returns user identity information.
The Nuclei template provides a structured method to detect this vulnerability by sending such a payload and observing the system's response. If the system executes the command and returns its output, it confirms the presence of the vulnerability.
It's crucial to note that this PoC is intended for educational and testing purposes within controlled environments. Unauthorized exploitation of this vulnerability is illegal and unethical.
PoC Source:
Affected Systems and Versions
- Product: Hikvision CSMP iSecure Center
- Affected versions: All versions through 2024-08-01
- Vulnerable endpoint:
/center/api/installation/detection - No authentication required for exploitation
Vendor Security History
Hikvision has previously faced multiple critical vulnerabilities in its product lines, including:
- CVE-2021-36260: Command injection in IP cameras and NVRs, allowing unauthenticated remote code execution
- CVE-2023-28815: Command injection in iSecure Center
The recurrence of command injection flaws in both device firmware and management platforms highlights ongoing challenges in secure input handling and code review processes. Hikvision typically issues advisories and patches, but the frequency of similar vulnerabilities suggests the need for improved secure development lifecycle practices.