Assessment
CFSE Consequence Paths assesses Hikvision IP camera / NVR unauthenticated command injection (CVE-2021-36260) at EMERGENCY — the worst of 3 risk paths (perception, authority). The dominant consequence is manipulated perception that drives action.
Vulnerability
Hikvision IP camera / NVR unauthenticated command injection (CVE-2021-36260). Reported attack vector: Network (remote, unauthenticated HTTP to device web server).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
PERCEPTION_TO_ACTION → EMERGENCY
CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:4/EC:4/EX:4/PH:3/DP:4/AT:3/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=EMERGENCY · AT=CRITICAL → base EMERGENCY · uplift active exploitation, fleet-reachable authority → assessed EMERGENCY.
Unauthenticated root RCE on the embedded web server (AV:N, AC:L, single crafted HTTP request, public PoCs) gives full control of the camera’s sensing function. Attacker can exfiltrate live/stored video (DP:4 live-camera/surveillance perception) AND suppress/falsify the camera’s perception output. Because the device is a physical-security sensor, blinding or fabricating its feed degrades the human/operator perception of safety-relevant reality, reducing physical-security margin for monitored premises (PH:3, perception_feeds_action=true). AT:3 reflects admin/service-level control over the device’s perception and config (not a signing/trust root). RE:4 internet-exposed; EC:4 trivial; CH:4 crosses network->device->physical-security boundary and reusable across fleet; SR:4 single primitive across millions of devices/dozens of models; SX:4 fleet-scale remote. OR:3 firmware update plus possible reflash since persistence is possible. EV:4 field-confirmed, in CISA KEV.
ACCOUNT_AUTHORITY → EMERGENCY
CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:4/EX:4/PH:3/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL · uplift active exploitation, fleet-reachable authority → assessed EMERGENCY.
Distinct device-takeover terminal: root code execution yields the highest authority on the embedded OS (full admin control of the device, config, credentials, firmware modification). AT:3 because this is admin/service/debug authority over a single device’s OS and config, not a cross-fleet signing root or OTA root-of-trust (no evidence the exploit yields the vendor signing key). DP:3 covers device credentials/firmware/op-state accessible post-root. PH:2 availability/workflow disruption of the device itself with no severe direct actuation harm. RE:4 internet-exposed unauth; EC:4 single request commodity toolkit; CH:4 enables lateral movement/pivot, crossing device->network->cloud/LAN boundaries (reusable bridge); SR:4 same primitive reusable fleet-wide; SX:4 mass remote exploitation observed. OR:3 reflash/factory-reset + credential rotation due to possible persistence/implants. EV:4 field-confirmed.
FLEET_CONTROL_PLANE → EMERGENCY
CPATH:1.0-candidate/TT:FLEET_CONTROL_PLANE/RE:4/EC:4/EX:4/PH:3/DP:2/AT:2/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift active exploitation → assessed EMERGENCY.
Distinct scale/botnet terminal: a single reusable exploit primitive across an enormous installed base (millions of devices, dozens of models) enabled mass scanning and Mirai-style botnet enrollment. This is fleet-scale execution but NOT control of the vendor’s legitimate management/OTA control plane or signing root, so AT:2 (bounded aggregation of compromised nodes rather than authority over the trust root). RE:4 internet-exposed; EC:4 automated commodity toolkits; CH:4 cross-domain reusable bridge feeding botnet C2 infrastructure; SR:4 portable primitive/no per-device secret needed; SX:4 fleet-scale remote without per-device access. PH:2 / DP:2 reflect aggregate availability and telemetry impact rather than per-target safety/biometric data. OR:3 per-device firmware update/reflash across the fleet; recovery_needs_fleet_action left false since each owner patches their own device (no vendor signing-root rotation required). EV:4 field-confirmed, in KEV and exploit kits.
Published baseline
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD / CNA via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources