Hikvision Wireless Access Points Vulnerability Enables Malicious Command Execution

A critical authenticated command execution vulnerability has been disclosed affecting multiple Hikvision Wireless Access Point (WAP) models.

The flaw, tracked as CVE-2026-0709, stems from insufficient input validation in device firmware, potentially allowing attackers with valid credentials to execute arbitrary commands on affected systems.

The vulnerability carries a CVSS v3.1 base score of 7.2, indicating a high-severity threat.

According to the advisory, attackers who can authenticate to the device can send specially crafted packets containing malicious commands directly to the WAP, bypassing critical security controls.

This attack vector bypasses network perimeter defenses since it requires valid credentials, making it particularly dangerous in environments where user authentication has been compromised or where insider threats exist.

Affected Models and Timeline

Affected Model	Vulnerable Firmware Version
DS-3WAP521-SI	V1.1.6303 build250812 and earlier
DS-3WAP522-SI	V1.1.6303 build250812 and earlier
DS-3WAP621E-SI	V1.1.6303 build250812 and earlier
DS-3WAP622E-SI	V1.1.6303 build250812 and earlier
DS-3WAP623E-SI	V1.1.6303 build250812 and earlier
DS-3WAP622G-SI	V1.1.6303 build250812 and earlier

Hikvision has released patched firmware versions (V1.1.6601 build 251223) that address the flaw across all affected devices.

The vulnerability was initially reported on January 30, 2026, by an independent security researcher, exzettabyte.

Organizations deploying these WAP models should immediately prioritize updating to the resolved firmware version to mitigate exploitation risks.

Vulnerability Details and Impact

The authenticated nature of this vulnerability makes it particularly concerning for enterprise environments.

While attackers must possess valid device credentials, compromised user accounts, stolen credentials, or insider threats can serve as entry points.

Once authenticated, the insufficient input validation allows threat actors to inject and execute arbitrary commands with device privileges, potentially leading to complete system compromise.

Organizations operating affected Hikvision WAP models should take immediate action. Patches are available for download on the official Hikvision support portal.

Administrators should deploy firmware version V1.1.6601 build 251223 across all vulnerable devices in their infrastructure.

Simultaneously, organizations should review access controls and enforce strong authentication mechanisms to limit device access to authorized personnel only.

For organizations unable to patch immediately, implementing network segmentation to restrict device access and monitoring authentication logs for suspicious activity can provide interim protection.

Additionally, credential rotation for affected devices is recommended to prevent exploitation through compromised accounts. Hikvision’s HSRC continues monitoring security threats and welcomes vulnerability disclosures at [email protected].

Organizations with questions regarding this vulnerability should contact Hikvision support through official channels.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.