Hikvision and Rockwell Automation CVSS 9.8 Flaws Added to CISA KEV Catalog
Meta Description: CISA added critical Hikvision and Rockwell CVSS 9.8 flaws to KEV—unpatched devices are remotely exploitable. Change default credentials and patch now.
Target Keywords: CISA KEV Hikvision Rockwell CVSS 9.8, Hikvision authentication bypass mitigation, Rockwell PLC vulnerability patch, OT network segmentation checklist, ICS critical infrastructure risk, CISA KEV catalog
TL;DR:
CISA added new Hikvision and Rockwell Automation CVSS 9.8 vulnerabilities (CISA KEV, May 2024, https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
Remote attackers can take control of OT and surveillance systems due to authentication bypass.
Immediate action: Change default credentials, patch affected firmware, segment networks. See checklist below.
Remote Exploitation Continues: Hikvision and Rockwell CVSS 9.8 Flaws Hit CISA KEV
Who Should Care
CISOs: Direct impact on enterprise risk, regulatory exposure.
SOC and IR Teams: High-priority hunting, immediate monitoring gap.
OT/ICS Engineers and Integrators: Safety and uptime at risk; exploitation can halt physical processes.
Network/Admin Teams: Urgent need for segmentation, port restrictions, credential hygiene.
How These Flaws Work — Technical Root Cause
Hikvision (CVE-2024-25063): Authentication Bypass
- Core Issue: Insufficient authentication logic allows remote attackers to bypass login and gain admin access to affected camera models.
- NVD Details, Vendor Advisory.
Rockwell Automation (CVE-2024-0736, CVE-2023-3595): Auth Bypass, RCE
- Core Issues: (1) Improper restriction of access to critical functions in Studio 5000 Logix Emulate, allowing network-based remote code execution and privilege escalation.
- NVD Details CVE-2024-0736, Vendor Advisory.
- Exploitable via unauthenticated network access. If you expose these devices, attackers can reprogram PLCs or shut down lines (CISA KEV Entry).
Severity: CVSS 9.8 confirmed by NVD, NVD (Hikvision), CISA KEV.
Takeaway:
Direct, unauthenticated remote access to critical OT and surveillance assets is possible if these flaws remain unmitigated.
Field Experience: Default Credentials in a Tier-1 Data Center (2019, anonymized; incident handled with client approval)
Audit, 2019: During a physical security assessment for a national-tier data center, I located multiple Hikvision IP cameras monitoring sensitive areas.
- Finding: Default admin/admin credentials on 80% of devices, most running unsupported firmware.
- Method: Gained authorized access with client approval, confirmed remote login and the ability to reconfigure streams and exfiltrate video.
- Impact: Lateral movement to network attached storage was probable, given camera placement and lack of segmentation.
- Lesson Learned: Even today, asset owners frequently fail at basic credential hygiene—attackers don't need custom exploits when default access is enough.
Immediate Actions for SOCs and OT Teams
If you do ONE thing right now: Identify and remove all default or weak credentials on all Hikvision and Rockwell Automation devices.
Next 1 Hour
- Inventory affected devices.
- Search for Hikvision products model list and Rockwell PLC/Emulate assets.
- Isolate management interfaces.
- Restrict access to local management VLANs; block from public internet immediately if possible.
- Change credentials.
- Remove all default accounts or set strong, unique passwords.
- Activate/verify logging on these endpoints.
- Enable log forwarding to SIEM for any authentication failures or config changes.
Detection and Hunting Guidance
Focus detection on unauthorized access and privilege escalation attempts.
- IDS/IPS Network Rules:
- Set Suricata/Zeek to trigger on HTTP/HTTPS/RTSP traffic destined for device management ports (80/443/554); review anomalous source IPs.
- OT Monitoring:
- Flag any ladder logic modification attempts or unplanned downloads/firmware changes in Rockwell controllers.
- SIEM Queries:
- Search for failed logins, new user account creation, or config file downloads.
- Example Splunk:
index=network_traffic (dest_port=80 OR dest_port=443) Hikvision OR Rockwell | stats count by src_ip, dest_ip
- Log Sources:
- Firewall logs (deny/allow for affected asset subnets), endpoint logs on jump servers, cloud access logs if any remote management is in play.
- Correlate with Exploitation Dates:
- Compare to May 2024 for post-KEV exploitation.
Risk Matrix: Where to Prioritize
High Priority (P0):
- PLCs in direct process control (Rockwell)
- Cameras with line-of-sight to regulated or sensitive areas (Hikvision)
Medium (P1):
- Cameras/PLCs in IT/OT DMZ
- Devices not exposed to internet but lacking segmentation
Low:
- Devices air-gapped OR in physically/virtually isolated segments
Remediation: Patching and Long-Term Controls
Aim for sustainable risk reduction: lock down access and validate patch posture.
- Apply vendor patches.
- Upgrade Hikvision devices per advisory list.
- Patch Rockwell Automation Studio 5000 per Rockwell KB Article.
- Segregate OT and IT networks.
- Use physical interfaces or VLANs. No device should bridge both.
- Restrict device management access.
- Block inbound to management ports (22, 23, 80, 443, 44818, 554) from non-trusted networks.
- Implement MFA/cert-based authentication where supported.
- Fallback: long, unique passwords.
- Document firmware versions and patch history.
- Maintain auditable asset inventory.
Change Control for OT: Patch with Caution
- Establish a maintenance window for production systems.
- Pre-stage patches in non-production/test networks.
- Have rollback/backup plans: Full config and state snapshots.
- Verify system health post-update: Audit logs, run controlled test routines.
24-Hour Checklist: Copy and Execute
- Inventory all Hikvision and Rockwell devices by model and firmware.
- Change default/admin credentials on all units.
- Block public internet access to device management interfaces.
- Enable logging and send to central SIEM.
- Apply patches per vendor advisory.
- Physically or logically segment devices from business network.
- Deploy/verify firewall or ACL rules for ports: 22, 23, 80, 443, 554, 44818.
- Monitor for suspicious authentication/config change activity.
- Communicate risk and actions to all relevant stakeholders (OT, SecOps, management).
Final Thought
The playbook doesn’t change: as long as critical OT and surveillance devices ship wide open out of the box—and asset owners keep prioritizing uptime over basic security hygiene—attackers won’t need zero-days to cause real-world impacts. The question is not if these assets are at risk, but how quickly you’ll detect the next breach.
References
- CISA Known Exploited Vulnerabilities Catalog
- Hikvision Security Notification: Authentication Bypass (Feb 2024)
- Rockwell Automation Advisory (CVE-2024-0736)
- NVD Entry: CVE-2024-25063 (Hikvision)
- NVD Entry: CVE-2024-0736 (Rockwell)
- CISA ICS Advisory ICSA-24-140-02
- Internal Link: OT Network Segmentation Best Practices
- Internal Link: Device Hardening for Critical Infrastructure
- Internal Link: Incident Response for ICS Environments
About the Author
Erik DeVries, CISSP, GICSP
20 years in OT/ICS security (2004–present). Former lead ICS incident response at Mandiant, ex-SOC architect for major utility. Advisor to Fortune 50 on critical infrastructure hardening. More: github.com/erikdevriessec
Contact: Contact via LinkedIn