Detect Hikvision Improper Authentication Exploitation (CVE-2017-7921) in Splunk
Detects exploitation attempts targeting CVE-2017-7921, an improper authentication vulnerability (CWE-287) in Hikvision IP cameras and multiple products. This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to camera streams, configurations, and credentials by manipulating URL parameters. Listed on CISA KEV, indicating active exploitation in the wild. Attackers commonly use this to gain persistent access to surveillance infrastructure, pivot within networks, or exfiltrate sensitive footage.
MITRE ATT&CK
SPL Detection Query
index=proxy OR index=network OR index=ids
| search (uri_path="*/onvif/*" OR uri_path="*/ISAPI/*" OR uri_path="*/cgi-bin/*" OR uri_path="*/SDK/*" OR uri_path="*/snapshot*")
| search (uri_query="*auth=*" OR uri_query="*ismerge=1*" OR uri_path="*/Security/users*" OR uri_path="*configurationFile*" OR uri_path="*userCheck*")
| eval suspicious_pattern=case(
match(uri_query, "auth=YWRtaW4"), "default-credential-bypass",
match(uri_path, "configurationFile"), "config-exfil-attempt",
match(uri_path, "/Security/users") AND method="GET", "user-enumeration",
match(uri_query, "ismerge=1"), "auth-bypass-param",
true(), "suspicious-hikvision-request"
)
| eval risk_score=case(
suspicious_pattern="default-credential-bypass", 90,
suspicious_pattern="config-exfil-attempt", 85,
suspicious_pattern="auth-bypass-param", 80,
70
)
| stats
count as request_count,
dc(uri_path) as distinct_urls,
min(_time) as first_seen,
max(_time) as last_seen,
values(uri_path) as sample_urls,
max(risk_score) as max_risk_score
by src_ip, dest_ip, suspicious_pattern
| where request_count >= 1
| sort - max_risk_scoreSplunk query detecting Hikvision CVE-2017-7921 exploitation attempts by identifying authentication bypass URL patterns in proxy and network logs.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate ONVIF clients and NVR systems performing scheduled health checks on camera endpoints
- Authorized vulnerability assessment tools scanning camera infrastructure per change control
- Hikvision firmware update processes that access ISAPI configuration endpoints
- Third-party VMS (Video Management Software) performing API calls to camera management interfaces
Other platforms for CVE-2017-7921
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hikvision Auth Bypass via URL Parameter
Expected signal: HTTP GET request to /ISAPI/Security/users with auth= query parameter visible in proxy/firewall logs; HTTP 200 response body containing XML user data if device is vulnerable
- Test 2Hikvision Configuration File Exfiltration
Expected signal: HTTP GET request to /System/configurationFile with auth= parameter in proxy logs; if vulnerable, a binary configuration file download (often large, >100KB) in response
- Test 3Hikvision Default Credential Base64 Bypass
Expected signal: Multiple HTTP GET requests to Hikvision ISAPI endpoints across one or more camera IPs with identical base64 auth parameter; sequential probing pattern visible in proxy logs
- Test 4RTSP Stream Access Post-Exploitation
Expected signal: RTSP connection attempt to port 554 on camera IP with credentials in the URL; network logs show TCP session establishment on port 554 from non-standard client
Unlock Pro Content
Get the full detection package for CVE-2017-7921 including response playbook, investigation guide, and atomic red team tests.