Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-58274

CVE-2024-58274: Hikvision iSecure Center RCE Vulnerability

CVE-2024-58274 is a remote code execution flaw in Hikvision iSecure Center that allows attackers to execute commands through JSON data. Exploited in the wild, this article covers technical details, affected versions, and mitigations.

Published:

CVE-2024-58274 Overview

CVE-2024-58274 is a command injection vulnerability in Hikvision Comprehensive Security Management Platform (CSMP) iSecure Center through builds dated 2024-08-01. The flaw resides in the /center/api/installation/detection API endpoint, which fails to sanitize JSON input before passing values to a shell context. Attackers can inject operating system commands using $( ) syntax and trigger remote execution without authentication. Public reporting indicates the issue has been exploited in the wild during 2024 and 2025. The vulnerability is categorized under [CWE-78] Improper Neutralization of Special Elements used in an OS Command.

Critical Impact

Unauthenticated network attackers can execute arbitrary operating system commands on iSecure Center servers, enabling persistence, lateral movement, and access to integrated video surveillance infrastructure.

Affected Products

  • Hikvision CSMP (Comprehensive Security Management Platform)
  • Hikvision iSecure Center
  • iSecure Center builds through 2024-08-01

Discovery Timeline

  • 2025-10-22 - CVE-2024-58274 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-58274

Vulnerability Analysis

The vulnerability stems from unsafe handling of user-supplied JSON data submitted to /center/api/installation/detection. The endpoint forwards string values into a shell-evaluated command without escaping or validating shell metacharacters. When an attacker embeds the $( ) command substitution syntax inside JSON fields, the shell evaluates the inner expression before the outer command runs. This grants arbitrary command execution under the privileges of the iSecure Center service account.

The attack vector is network-based and requires no authentication or user interaction. Because the affected component is a centralized security management platform, successful exploitation extends to managed cameras, NVRs, and downstream surveillance systems integrated with CSMP.

Root Cause

The root cause is missing input sanitization on JSON parameters before concatenation into an OS command string. The application trusts client-supplied values and invokes a shell interpreter rather than using parameterized process execution. Shell metacharacters such as $, (, ), backticks, and pipes are not filtered or escaped.

Attack Vector

An attacker sends a crafted HTTP POST request to /center/api/installation/detection containing a JSON body where one or more field values include a $(command) payload. The server passes that field to a shell, which expands the command substitution and executes the attacker-controlled command before processing continues. Public proof-of-concept tooling, including a Nuclei detection template, demonstrates the request structure. Additional technical write-ups are available on the Butian Forum and Aliyun Security News.

Detection Methods for CVE-2024-58274

Indicators of Compromise

  • HTTP POST requests to /center/api/installation/detection containing $(, backtick, or pipe characters in JSON values
  • Unexpected child processes spawned by the iSecure Center web service, such as sh, bash, curl, wget, or powershell
  • Outbound connections from iSecure Center hosts to untrusted external IP addresses shortly after requests to the detection endpoint
  • New files written to web-accessible directories or persistence locations on the CSMP server

Detection Strategies

  • Inspect web access logs for requests to /center/api/installation/detection and flag bodies containing shell metacharacters
  • Apply web application firewall rules that block JSON payloads matching command substitution patterns
  • Deploy the published Nuclei template against internal asset inventories to identify exposed iSecure Center instances
  • Correlate HTTP request telemetry with endpoint process-creation events on CSMP servers to surface command execution chains

Monitoring Recommendations

  • Forward iSecure Center web, application, and operating system logs to a centralized SIEM for retention and correlation
  • Alert on any shell or scripting interpreter spawned by the CSMP Java or web service parent process
  • Monitor egress traffic from management platform hosts and baseline expected destinations
  • Track authentication and configuration changes on connected cameras and recorders following suspicious requests

How to Mitigate CVE-2024-58274

Immediate Actions Required

  • Remove direct internet exposure of iSecure Center management interfaces and restrict access to trusted administrative networks
  • Apply vendor updates for Hikvision CSMP iSecure Center as soon as Hikvision publishes a fixed build
  • Audit CSMP servers for signs of prior compromise, including unfamiliar processes, scheduled tasks, and outbound connections
  • Rotate credentials, API tokens, and integration secrets stored on or used by iSecure Center

Patch Information

At the time of publication, no fixed version is listed in the NVD record. Administrators should monitor Hikvision security bulletins for an iSecure Center release that addresses the /center/api/installation/detection command injection and upgrade once available. Verify patch application by re-testing the endpoint with the public Nuclei template.

Workarounds

  • Block external access to /center/api/installation/detection at the reverse proxy or WAF until a patch is installed
  • Deploy WAF signatures that reject JSON bodies containing $(, backticks, semicolons, or pipe characters destined for CSMP endpoints
  • Place iSecure Center behind a VPN or jump host and require multi-factor authentication for administrator access
  • Segment the surveillance management network from corporate and internet-facing zones to limit blast radius
bash
# Example reverse proxy rule to block the vulnerable endpoint
location /center/api/installation/detection {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.