Skip to main content
CVE Vulnerability Database

CVE-2026-1749: HikCentral Auth Bypass Vulnerability

CVE-2026-1749 is an authentication bypass vulnerability in HikCentral Professional that allows unauthenticated users to gain admin permissions. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-1749 Overview

CVE-2026-1749 is an access control vulnerability affecting certain versions of Hikvision HikCentral Professional. The flaw allows an unauthenticated remote attacker to obtain administrator-level permissions on the application. HikCentral Professional is a centralized video management system deployed across enterprise and critical infrastructure environments, making improper access control [CWE-284] a significant risk to surveillance integrity and physical security operations.

Critical Impact

An unauthenticated attacker reachable over the network can gain admin permissions on HikCentral Professional, granting full control of video surveillance, user accounts, and connected devices.

Affected Products

  • Hikvision HikCentral Professional (specific affected versions listed in the vendor advisory)
  • Deployments exposing the HikCentral Professional web management interface to untrusted networks
  • Environments integrating HikCentral Professional with Hikvision cameras, NVRs, and access control devices

Discovery Timeline

  • 2026-05-09 - CVE-2026-1749 published to the National Vulnerability Database
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-1749

Vulnerability Analysis

The vulnerability is categorized under [CWE-284] Improper Access Control. HikCentral Professional fails to correctly enforce authorization checks on a network-reachable interface. An unauthenticated attacker can exploit this gap to escalate privileges directly to the admin role without supplying valid credentials.

Successful exploitation yields complete administrative control of the video management platform. An attacker can manage users, view or delete recorded footage, reconfigure cameras and access control devices, and pivot into integrated security subsystems. The attack complexity is high, which constrains opportunistic exploitation but does not eliminate risk in targeted scenarios. The scope is changed, meaning impact extends beyond the vulnerable component into integrated systems managed by HikCentral.

Root Cause

The root cause is missing or improperly enforced authorization on functionality that should be restricted to authenticated administrators. The application trusts requests that should require credential validation, treating certain entry points as if access control had already been satisfied. Hikvision has not published low-level technical details of the flaw beyond the access control classification.

Attack Vector

The attack vector is network-based and requires no user interaction. An attacker with reachability to the HikCentral Professional service sends crafted requests that bypass authentication and authorization checks. No prior credentials, sessions, or tokens are needed. Refer to the Hikvision Security Advisory for vendor-confirmed exploitation conditions and affected version ranges.

No public proof-of-concept code or exploit modules have been published. No verified code examples are available for this CVE, and synthetic exploitation code is intentionally omitted.

Detection Methods for CVE-2026-1749

Indicators of Compromise

  • Creation of new administrator accounts in HikCentral Professional without a corresponding change-management record
  • Unexpected configuration changes to cameras, recording schedules, or access control rules
  • Authentication or audit log entries showing privileged operations preceded by no successful login event
  • Outbound connections from the HikCentral server to unfamiliar external IP addresses

Detection Strategies

  • Audit HikCentral Professional user databases for accounts not provisioned through standard onboarding processes
  • Monitor web server and application logs for anomalous request patterns targeting authentication or administrative endpoints
  • Compare current HikCentral build version against the fixed versions listed in the Hikvision advisory
  • Correlate surveillance configuration changes with authenticated user sessions to identify unattributed modifications

Monitoring Recommendations

  • Forward HikCentral Professional application and audit logs to a centralized SIEM for retention and correlation
  • Alert on privileged actions such as user creation, role assignment, and device deletion outside business hours
  • Track network connections to the HikCentral management port from sources outside the management VLAN

How to Mitigate CVE-2026-1749

Immediate Actions Required

  • Apply the patched HikCentral Professional version published in the Hikvision Security Advisory as soon as possible
  • Restrict network access to the HikCentral Professional management interface using firewall rules and dedicated management VLANs
  • Review all administrator accounts and remove any that cannot be attributed to a known operator
  • Rotate credentials for HikCentral administrators and any integrated service accounts

Patch Information

Hikvision has released a security update addressing CVE-2026-1749. Administrators should download the fixed build directly from Hikvision and verify version numbers against the vendor advisory. Confirm patch application by checking the HikCentral Professional About dialog and reviewing the upgrade log.

Workarounds

  • Place HikCentral Professional behind a VPN or zero-trust network access gateway to eliminate direct internet exposure
  • Disable or block external access to the web management interface until the patch is installed
  • Enable strict source-IP allowlisting on perimeter devices in front of HikCentral servers
bash
# Example: restrict access to HikCentral management ports to a management subnet
# Replace 10.10.20.0/24 with your authorized management network
iptables -A INPUT -p tcp --dport 80 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.