Hikvision Improper Authentication Exploitation (CVE-2017-7921)
Detects exploitation attempts targeting CVE-2017-7921, an improper authentication vulnerability (CWE-287) in Hikvision IP cameras and multiple products. This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to camera streams, configurations, and credentials by manipulating URL parameters. Listed on CISA KEV, indicating active exploitation in the wild. Attackers commonly use this to gain persistent access to surveillance infrastructure, pivot within networks, or exfiltrate sensitive footage.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Hikvision
- Product
- Multiple Products
Weakness (CWE)
Timeline
- Disclosed
- March 5, 2026
CVSS
What is CVE-2017-7921 Hikvision Improper Authentication Exploitation (CVE-2017-7921)?
Hikvision Improper Authentication Exploitation (CVE-2017-7921) (CVE-2017-7921) maps to the Initial Access and Persistence and Credential Access and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Hikvision Improper Authentication Exploitation (CVE-2017-7921), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Firewall Logs, CommonSecurityLog, Palo Alto Networks, Web Proxy Logs. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (80, 443, 8000, 8080, 8443)
| where RequestURL has_any ("/onvif/", "/ISAPI/", "/cgi-bin/", "/SDK/", "/snapshot")
| where RequestURL has_any ("?auth=", "&auth=", "ismerge=1", "/Security/users", "/userCheck", "/configurationFile")
| extend SuspiciousPattern = case(
RequestURL has "?auth=YWRtaW46MTEQ", "Default-credential-bypass",
RequestURL has "configurationFile", "Config-exfil-attempt",
RequestURL has "/Security/users" and RequestMethod == "GET", "User-enumeration",
RequestURL has "ismerge=1", "Auth-bypass-param",
"Suspicious-Hikvision-Request"
)
| where isnotempty(SuspiciousPattern)
| summarize
RequestCount = count(),
DistinctURLs = dcount(RequestURL),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
SampleURLs = make_set(RequestURL, 5)
by SourceIP, DestinationIP, SuspiciousPattern
| where RequestCount >= 1
| extend RiskScore = case(
SuspiciousPattern == "Default-credential-bypass", 90,
SuspiciousPattern == "Config-exfil-attempt", 85,
SuspiciousPattern == "Auth-bypass-param", 80,
70
)
| sort by RiskScore descDetects HTTP requests to Hikvision camera endpoints that match known CVE-2017-7921 authentication bypass patterns, including default credential base64 strings, configuration file access, and authentication parameter manipulation.
Data Sources
Required Tables
False Positives
- Legitimate ONVIF integration tools used by security management software performing routine polling
- Network vulnerability scanners (Nessus, Qualys, Rapid7) performing scheduled assessments of camera infrastructure
- Hikvision iVMS or other legitimate management software accessing ISAPI endpoints for configuration
- Security researchers performing authorized penetration tests against camera systems
Sigma rule & cross-platform mapping
The detection logic for Hikvision Improper Authentication Exploitation (CVE-2017-7921) (CVE-2017-7921) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2017-7921
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hikvision Auth Bypass via URL Parameter
Expected signal: HTTP GET request to /ISAPI/Security/users with auth= query parameter visible in proxy/firewall logs; HTTP 200 response body containing XML user data if device is vulnerable
- Test 2Hikvision Configuration File Exfiltration
Expected signal: HTTP GET request to /System/configurationFile with auth= parameter in proxy logs; if vulnerable, a binary configuration file download (often large, >100KB) in response
- Test 3Hikvision Default Credential Base64 Bypass
Expected signal: Multiple HTTP GET requests to Hikvision ISAPI endpoints across one or more camera IPs with identical base64 auth parameter; sequential probing pattern visible in proxy logs
- Test 4RTSP Stream Access Post-Exploitation
Expected signal: RTSP connection attempt to port 554 on camera IP with credentials in the URL; network logs show TCP session establishment on port 554 from non-standard client
Unlock Pro Content
Get the full detection package for CVE-2017-7921 including response playbook, investigation guide, and atomic red team tests.