Update on Privilege-Escalation Vulnerability Notice

May 4, 2017


Dear Valued Customers and Partners:

Hikvision is honored to work with the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center in our ongoing cybersecurity best practice efforts.

We’re pleased to announce that Hikvision’s successful progress on a privilege-escalating vulnerability has been acknowledged by ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Specifically, ICS-CERT has recognized that on March 15, 2017 Hikvision released the fixed firmware version 5.4.5 to address the user privilege-escalation vulnerability.

What do customers need to know about the privilege-escalating vulnerability? What steps should customers take to enhance the cybersecurity of Hikvision systems?

  • Please review the March 15, 2017 notice, which outlines potential cybersecurity concerns that could arise with specific cameras under certain, fairly uncommon circumstances. To date, Hikvision is not aware of any reports of malicious activity associated with this vulnerability.

  • Hikvision always recommends a systematic, multi-step approach to enhance cybersecurity protection. To assist customers and partners, Hikvision offers a number of industry-leading cybersecurity resources. Please visit the Hikvision Security Center for more information.

  • The Hikvision Network Security Hardening Guide is a new resource for installers.

  • Hikvision also encourages customers to utilize ICS-CERT resources, including ICS-CERT Recommended Practices and ICS-CERT Defense in Depth.

Did ISC-CERT recommend further enhancements in future firmware upgrades?

  • ICS-CERT identified two areas of potential concern: the configuration file and “gray market” cameras.

Under what circumstances is there a concern with the configuration file? How will Hikvision address this concern?

  • The configuration file is encrypted and is therefore not readable, and protects users’ credentials. Also, the configuration file can only be exported by the admin account. Hikvision appreciates ICS-CERT’s comment, and will enhance the private key decryption storage method in the upcoming firmware release.

What is the concern with “gray market” cameras? Doesn’t Hikvision only service cameras that are purchased through authorized channels?

  • As always, Hikvision warns potential customers against purchasing from unauthorized distributors. Only authorized Hikvision USA distributors ensure customers receive the benefits of technical support, project registration, and Hikvision USA's full warranty. Click here to see the list of authorized Hikvision distributors.

  • Hikvision products purchased from an online source or unauthorized distributor may not be compatible with the North American region’s firmware and are considered to be “gray market” product. Updating the firmware from the Hikvision USA site can lead to complications in gray market cameras. Gray market cameras users should upgrade firmware through their original purchasing channel.

  • If you have any questions or concerns about the official status of your Hikvision distributor, please contact Hikvision USA Customer Service at

Hikvision is proud to be at the forefront of the move to improve cybersecurity best practices in our industry. Cybersecurity must be top-of-mind throughout the product lifecycle, from R&D and manufacturing to installation and maintenance. Hikvision’s in-house cybersecurity experts are dedicated to constantly assessing and improving our products and our processes, and the Hikvision team provides market-leading cybersecurity education and support to our valued customers. We’re also actively engaged with our competitors and partners on collaborative cybersecurity efforts that benefit our entire industry.

Interoperability is key to the success of IP video technology. While it’s exciting to watch the ecosystem of video surveillance devices multiply, this also increases our cybersecurity challenges. Establishing interoperability standards for video surveillance should be a top priority and one that everyone in the surveillance industry needs to share.

Team Hikvision USA Inc. & Hikvision Canada Inc.

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).