Hikvision Access Control Session Hijacking

Remote attackers can steal valid authentication session identifiers of Hikvision Access Control/Intercom Products. This is possible because a remote attacker can create a session identifier without restrictions. If an attacker requests a session ID at the same time as a valid user, the attacker receives the identical session ID. This session ID is immediately recognized as valid after successful authentication of the correct user.

access access control attacker attackers authentication control hijacking hikvision intercom products requests restrictions session session hijacking steal valid