Scans for Hikvision Intelligent Security API

    Published: 2026-07-19. Last Updated: 2026-07-19 15:00:38 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    We have been following issues with Hikvision cameras for a long, long time. Like many similar products, Hikvision cameras have a long history of vulnerabilities and are often targeted by internet-wide scans that our honeypot network detects.

    This weekend, I noticed a new type of recon scans against the newer OPEN Intelligent Security API (ISAPI) provided by Hikvision cameras. This REST-based API does provide access to a wide range of features. Despite using the word "Intelligent" in its name, the API is not limited to some of the AI/facial recognition functions, but can be used to fully control the camera settings and manage the camera. The API is intended for integration with various third-party products and is well-documented by Hikvision. The ISAPI has been around since at least 2018, but I have only now noticed scans for /ISAPI/System/status, an endpoint that is an obvious choice to profile ISAPI devices. Messages can use XML or JSON. Most examples I have seen use XML.

    ISAPI requests are authenticated using Basic or Digest authentication. The cameras support HTTPS, but of course, like for many similar IoT devices, it must first be configured with appropriate keys and certificates. Messages may also be encrypted with AES 128 or 256 in CBC mode. The encryption key is derived from the password, and the iv is exposed in the URL. As a result, the encryption does not provide any additional security if Basic authentication is used and the password is sent in the clear. HTTPS should provide more comprehensive protection.

    The URL our sensors noticed this weekend, /ISAPI/System/status, returns XML (or JSON) formatted system information. It is likely a simple way to verify whether the device supports ISAPI (I expect a 401 or 403 response if the URL exists, and a 404 response if it does not), and the URL may be useful for brute-forcing a password.

    So far, our honeypots have not captured full requests (not all honeypots do so). I will update this diary if I find some complete requests with authentication data (if included). And as always, do not expose these cameras to the internet, and do not place them in sensitive areas.

    --
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)

      Comments


      Diary Archives