CVE-2023-28815
Published: 17 October 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2023-28815 is a command injection vulnerability in some versions of Hikvision's iSecure Center product, caused by insufficient parameter validation. iSecure Center is software released exclusively for China's domestic market, with no overseas release. The issue is classified under CWE-141 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, due to its network accessibility and low attack complexity. Successful exploitation grants platform privileges, enabling arbitrary command execution on the affected system.
Hikvision has issued a security notice detailing the vulnerability at https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-04/, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables unauthenticated remote command injection (T1190: Exploit Public-Facing Application) in a network-accessible service, directly facilitating arbitrary command execution (T1059: Command and Scripting Interpreter).