A critical authenticated remote command execution vulnerability (CVE-2026-3828) affecting several discontinued PoE switch models, urging users still running these end-of-life devices to apply firmware patches immediately.
The Hikvision Security Response Center (HSRC) published Security Advisory HSRC-202605-02 on May 8, 2026, formally disclosing a vulnerability affecting three discontinued PoE network switch models.
The flaw stems from insufficient input validation in the switch firmware, allowing an attacker who holds valid administrative credentials to execute arbitrary operating system commands remotely, a class of attack often used to pivot deeper into enterprise networks or gain persistent access to surveillance infrastructure.
CVE-2026-3828: Hikvision Switch Vulnerability
CVE-2026-3828 is an authenticated remote command execution vulnerability assigned a CVSS v3.1 base score of 7.2 (High). The CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Tells a precise technical story: the attack vector is network-based, requires no user interaction, carries low attack complexity, and yields high impact across confidentiality, integrity, and availability on the affected device.
The only meaningful barrier is the requirement for high-privilege (administrator-level) credentials, which reduces but does not eliminate real-world risk, especially given how commonly default or reused credentials are left unchanged in legacy network hardware deployments.
The flaw was independently discovered and responsibly disclosed to Hikvision’s HSRC by security researcher Thiago Torres, handle “torresm”. This marks yet another researcher-driven disclosure for Hikvision. This company has faced multiple rounds of command injection and input validation flaws in its product lines over the past several years.
The exploitation mechanism is straightforward but dangerous. An authenticated attacker sends specially crafted network packets containing embedded malicious commands to a vulnerable Hikvision switch.
Because the firmware fails to properly sanitize user-supplied input before passing it to the underlying operating system, the injected commands execute with device-level privileges.
This mirrors the attack pattern seen in earlier Hikvision vulnerabilities such as CVE-2021-36260, where crafted HTTP requests bypassed the device’s protected shell (psh) and enabled root-level command execution.
In practice, once command execution is achieved on a network switch, an attacker can alter VLAN configurations, intercept traffic traversing the switch, turn off security controls, or use the compromised device as a foothold to escalate lateral movement within the target network.
Network switches occupy a uniquely privileged position in infrastructure, allowing one to expose the entire network segment they manage.
Affected Versions and Mitigation
Three Hikvision PoE switch models are confirmed vulnerable, all of which were discontinued by December 2023:
The DS-3E1310P-SI running firmware version V1.2.4_210623 or earlier is affected; the patched version is V1.2.5_260309. The DS-3E1318P-SI and DS-3E1326P-SI, both running firmware up to and including V1.2.0_210823, are also impacted; both models receive their fix in V1.2.1_260309, released by Hikvision on March 9, 2026.
These are end-of-life (EoL) products. Hikvision’s decision to still release security patches for discontinued hardware reflects the company’s acknowledgment that large numbers of legacy devices remain actively deployed in physical security and enterprise environments worldwide.
Hikvision’s remediation guidance is unambiguous: apply the patched firmware immediately. Firmware packages for all three affected models are available directly from the Hikvision official website.
Organizations that cannot immediately patch should implement the following compensating controls as an interim measure:
- Restrict administrative access to the switch management interface by enforcing IP allowlisting and turning off remote management on untrusted interfaces.
- Change all default credentials on the affected devices immediately, as threat actors frequently exploit unchanged factory passwords on aging hardware.
- Segment affected switches from critical network zones using firewall rules or additional VLAN boundaries to limit the blast radius of a potential compromise.
- Monitor for anomalous traffic originating from switch management interfaces, including unexpected outbound connections or configuration changes.
- Plan for hardware replacement, as these devices have reached end-of-life and will no longer receive routine security support beyond this exceptional patch.
Organizations in sectors such as retail, education, manufacturing, and physical security that commonly deploy Hikvision PoE switches for powering and connecting IP cameras should treat this advisory as a priority action item.
This disclosure does not exist in isolation. Hikvision has faced a persistent pattern of input-validation vulnerabilities across its product portfolio. The 2021 CVE-2021-36260 flaw, a critical unauthenticated RCE with a CVSS score of 9.8.
Affected hundreds of thousands of internet-exposed cameras and switches and was widely exploited by multiple threat actor groups, prompting a CISA advisory and inclusion in the Known Exploited Vulnerabilities catalog.
While CVE-2026-3828 requires authentication and therefore carries a lower severity score, the risk profile increases significantly in environments with poor credential hygiene, a common reality in legacy OT and physical security deployments.
Security researchers and network defenders should treat any Hikvision hardware, particularly discontinued models still running aging firmware, as elevated-risk assets deserving of proactive network monitoring and accelerated replacement cycles.
FAQ
Q1: Is CVE-2026-3828 being actively exploited in the wild?
As of May 8, 2026, Hikvision has not confirmed active exploitation, but the flaw’s authenticated RCE nature makes it a high-value post-compromise target.
Q2: Does this vulnerability affect Hikvision IP cameras or NVRs?
No CVE-2026-3828 is specific to three discontinued Hikvision PoE switch models (DS-3E1310P-SI, DS-3E1318P-SI, DS-3E1326P-SI) and does not affect cameras or NVR devices.
Q3: Can an unauthenticated attacker exploit this flaw remotely?
No exploitation requires valid high-privilege credentials (PR:H in CVSS), but attackers who obtain admin credentials through credential stuffing or phishing can fully leverage them.
Q4: Where can I download the official patched firmware for the affected Hikvision switches?
Official firmware patches are available on the Hikvision product firmware portal and are linked directly in security advisory HSRC-202605-02 on the Hikvision website.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
