CISA KEV Alert: Active Exploitation Detected in Critical Hikvision and Rockwell Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stern warning to organizations by adding two critical security flaws—impacting Hikvision and Rockwell Automation products—to its Known Exploited Vulnerabilities (KEV) catalog. This designation is not merely a procedural update; it confirms that threat actors are actively exploiting these vulnerabilities in the wild.

For managed security providers and internal SOC teams, this signals an immediate need for asset identification and patching, particularly within Operational Technology (OT) and IoT environments where these devices are prevalent.

The Threat Landscape

The inclusion of these vulnerabilities in the KEV catalog underscores a harsh reality in modern cybersecurity: legacy and unpatched devices remain the low-hanging fruit for initial access brokers and ransomware operators.

Deep Dive: CVE-2017-7921 (Hikvision)

While CVE identifiers from 2017 might seem like "old news," the Hikvision flaw (CVSS 9.8) is a persistent plague in network security. This improper authentication vulnerability affects specific IP camera models. The vulnerability allows unauthenticated remote attackers to bypass authentication checks and gain administrative access to the device.

Why it matters now: Many organizations deploy "set it and forget it" IoT devices like security cameras. These devices often sit on the network perimeter or in segmented VLANs that are infrequently scanned. Because they are embedded systems, patching is disruptive, often requiring firmware updates that take cameras offline. Consequently, adversaries scan the internet specifically for this specific Hikvision vulnerability to establish a foothold, pivot into the internal network, or recruit the device into a botnet for DDoS attacks.

Rockwell Automation Vulnerabilities

Though specific details vary by CVE, the addition of Rockwell Automation flaws highlights the ongoing targeting of Industrial Control Systems (ICS). Threat actors are increasingly moving beyond data extortion to process disruption. Exploiting vulnerabilities in Rockwell assets allows attackers to manipulate industrial processes, potentially causing physical damage or significant production downtime.

Detection and Threat Hunting

Given the active exploitation status, security teams must assume that scans or exploit attempts are already occurring against their external footprint. Below are detection mechanisms and hunting queries to identify compromise attempts.

1. KQL Queries (Microsoft Sentinel/Defender)

Use this query to detect potential exploitation attempts against Hikvision cameras, looking for suspicious URI patterns or successful authentication anomalies from external IP addresses.

DeviceNetworkEvents
| where RemotePort in (80, 443, 8000, 8080) // Common Hikvision web ports
| where DeviceProduct contains "Hikvision" or DeviceCustomEntityType contains "IPCamera"
// Look for specific URI patterns associated with CVE-2017-7921 exploitation or high volume of requests
| where InitiatingProcessFileName !in ("svchost.exe", "services.exe") // Filter out local system noise if possible, focus on inbound
| project Timestamp, DeviceName, RemoteIP, RemotePort, DeviceProduct, AdditionalFields
| summarize count() by RemoteIP, DeviceName, bin(Timestamp, 5m)
| where count_ > 10 // Threshold for brute force or scanning activity

2. Bash Script for Asset Discovery

Before you can patch, you must know what you have. This script uses nmap to scan your local subnets for Hikvision devices commonly listening on port 80 (HTTP) or 8000 (standard for Hikvision).

#!/bin/bash

# Define your network range here
NETWORK_RANGE="192.168.1.0/24"

echo "Scanning $NETWORK_RANGE for Hikvision devices..."

# Scan for web servers and grep for Hikvision in the HTTP title or server header
nmap -p 80,8000,554 --open -oG - $NETWORK_RANGE | grep "Host:" | cut -d ' ' -f2 > ip_list.txt

while read -r ip; do
  echo "Checking $ip for Hikvision fingerprint..."
  # Using curl to grab the server header or title
  curl -s --connect-timeout 2 http://$ip | grep -i "hikvision" && echo "[+] Potential Hikvision device found at: $ip"
done < ip_list.txt

rm ip_list.txt

3. PowerShell for Network Traffic Analysis

If you have access to firewall logs or NetFlow data via PowerShell, you can hunt for anomalies involving Rockwell or Hikvision communication.

# Import example firewall log (assuming CSV format)
$Logs = Import-Csv -Path "C:\Logs\firewall_traffic.csv"

# Define Target Ports for Rockwell (Common Rockwell Ethernet/IP ports) and Hikvision
$TargetPorts = @(44818, 2222, 80, 8000) 

# Filter for high volume of traffic to these ports from non-internal sources
$SuspiciousTraffic = $Logs | Where-Object { 
    $TargetPorts -contains $_.DestinationPort -and 
    $_.SourceAddress -notlike "10.*" -and 
    $_.SourceAddress -notlike "192.168.*"
}

if ($SuspiciousTraffic) {
    Write-Host "Alert: Suspicious inbound traffic detected on OT/IoT ports." -ForegroundColor Red
    $SuspiciousTraffic | Format-Table SourceAddress, DestinationAddress, DestinationPort, Timestamp -AutoSize
} else {
    Write-Host "No suspicious traffic detected on monitored ports." -ForegroundColor Green
}

Mitigation Strategies

Detection is only half the battle. With CISA's binding operational directive (BOD) for federal agencies, private sector entities should follow suit with the following actionable steps:

1. Immediate Patching: Apply the latest firmware updates provided by Hikvision and Rockwell Automation immediately. For CVE-2017-7921, if the device is too old to receive a patch, it must be replaced.

2. Network Segmentation: Ensure that IoT and OT devices are on isolated VLANs. They should not have direct internet access unless strictly necessary (e.g., for cloud video management), and this should be mediated via a proxy or firewall.

3. Disable Unused Services: If Hikvision cameras do not require remote management via the web interface, disable the HTTP/HTTPS server on the device and rely on local configuration or a secure Video Management System (VMS).

4. Access Control Lists (ACLs): Configure firewall rules to only allow specific IP addresses (e.g., the NVR or Management Server) to communicate with the cameras and PLCs.

Conclusion

The addition of these flaws to the CISA KEV catalog is a reminder that cybersecurity hygiene is not just about servers and workstations. The "edge" of the network—cameras and controllers—is often the weakest link. Proactive hunting and rapid remediation are the only defenses against active exploitation.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub