Skip to main content

HikCentral Professional CVE-2026-1749

| EUVDEUVD-2026-28905 MEDIUM
Improper Access Control (CWE-284)
2026-05-09 hikvision GHSA-r9q2-82fq-2493
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 09, 2026 - 09:15 vuln.today
CVE Published
May 09, 2026 - 08:27 nvd
MEDIUM 6.8

DescriptionCVE.org

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

AnalysisAI

Unauthenticated attackers can bypass access controls in HikCentral Professional to obtain administrative permissions, enabling unauthorized management and configuration of security infrastructure. The vulnerability requires network access and non-trivial complexity but grants high-impact confidentiality and scope expansion across affected deployments. No public exploit code has been identified, though Hikvision has released a security advisory confirming the issue.

Technical ContextAI

HikCentral Professional is a centralized management platform for Hikvision security systems, handling user authentication, authorization, and administrative access control. The vulnerability exists in the access control mechanism (CWE category implicit from impact description), allowing authentication bypass or privilege escalation. The CVSS vector indicates network-accessible endpoints with moderate attack complexity (AC:H), suggesting the exploitation requires specific conditions such as particular configuration states, timing windows, or intermediate knowledge of the system architecture, though authentication is not required (PR:N). CPE indicates all versions of HikCentral Professional are affected; specific vulnerable version ranges have not been disclosed in the advisory reference.

RemediationAI

Apply the vendor-released security patch from Hikvision for HikCentral Professional. Consult the Hikvision security advisory (https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-hikcentral-professional/) for exact patched version numbers and deployment instructions specific to your installation. Interim compensating controls pending patch deployment include: restrict network access to HikCentral Professional administrative interfaces to trusted IP ranges or VPN-only connectivity, reducing exposure to unauthenticated attackers (trade-off: reduced usability for remote management); disable or revoke unnecessary administrative user accounts and enforce the principle of least privilege for management roles (trade-off: operational complexity in multi-team environments); monitor authentication logs for anomalous administrative access patterns and unusual privilege escalations; implement network segmentation isolating HikCentral Professional from general corporate networks (trade-off: potential impact on integrated security workflows). These controls mitigate but do not eliminate risk; patching remains the primary remediation.

Share

CVE-2026-1749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy