CVE-2024-58274
Published: 22 October 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2024-58274 is a command injection vulnerability (CWE-78) affecting Hikvision's Comprehensive Security Management Platform (CSMP) iSecure Center through version 2024-08-01. The issue enables execution of arbitrary commands embedded within $( ) syntax in JSON data submitted to the /center/api/installation/detection endpoint. It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted JSON payloads to the vulnerable endpoint, achieving remote code execution (RCE) on the target system. The attack requires no privileges or user interaction and leverages a scope change for impact across low confidentiality, integrity, and availability.
Advisories and related resources, including those at https://forum.butian.net/article/498, https://xz.aliyun.com/news/14639, and a Nuclei detection template at https://github.com/ahisec/nuclei-tps/blob/main/http/vulnerabilities/hikvision/hikvision-csmp-installation-rce.yaml, document the issue and exploitation methods. The vulnerability has been actively exploited in the wild during 2024 and 2025.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated command injection in public-facing web API endpoint enables remote exploitation of public-facing application (T1190) and arbitrary command execution via scripting interpreter (T1059).