"Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data"
Video surveillance giant Hikvision recently informed customers that it has patched a critical vulnerability affecting its Hybrid SAN and cluster storage products. The vulnerability tracked as CVE-2023-28808 has been described by the vendor as an access control issue that can be exploited to obtain administrator permissions by sending specially crafted messages to the targeted device. The impacted products are used by organizations to store video security data, and an attacker exploiting the vulnerability could gain access to that data. The company stated that while they are not aware of this vulnerability being exploited in the field, they recognize that some of their partners may have installed Hikvision equipment that is affected by this vulnerability, and they strongly encourage them to work with their customers to install the patch and ensure proper cyber hygiene. Hikvision noted in its advisory that an attacker needs to have network access to the targeted device in order to exploit CVE-2023-28808. Hikvision announced on April 10 that patches are included in version 2.3.8-8 for Hybrid SAN and version 1.1.4 for cluster storage devices. The vendor has provided detailed instructions for installing the updates.