HIKSEMI NAS CVE-2026-22623
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
AnalysisAI
Authenticated command injection in HIKSEMI NAS devices allows privileged users to execute arbitrary commands through improper input validation on the device interface. Attackers with valid credentials can craft malicious messages to achieve unauthenticated code execution on affected systems. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-77 (Command Injection). Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
Affected ProductsAI
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today