Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature.
AnalysisAI
EZVIZ App versions using legacy cloud feature modules with outdated API interfaces allow attackers to eavesdrop on network traffic and disclose sensitive video data. The vulnerability requires adjacent network access and high exploitation complexity, but affects all EZVIZ App versions until patched. Attackers can obtain video transmission data without authentication or user interaction by intercepting unencrypted or weakly encrypted API communications.
Technical ContextAI
EZVIZ App integrates cloud feature modules with legacy API interfaces that transmit data over the network without sufficient encryption or authentication protections. The vulnerability stems from the use of older, deprecated API designs that were not hardened against network eavesdropping attacks. The CWE is not specified in available data, but the core issue is improper use of cryptography (likely CWE-327 or CWE-522) combined with insufficient transport security for sensitive video metadata or credentials. The CPE indicates all versions of EZVIZ App across all platforms are potentially affected until updates are deployed.
RemediationAI
Upgrade EZVIZ App to the latest available version from the official EZVIZ app store or Hikvision support portal; exact patched version number is not specified in available advisory data, so users should install the newest release available. Immediately enable the video encryption feature within EZVIZ App settings to protect data in transit - this is the critical compensating control even after upgrade, as it mitigates eavesdropping on API communications. For users unable to upgrade immediately, restrict EZVIZ App access to trusted networks only (home WiFi with WPA2/WPA3 security, corporate VPN) and avoid public or untrusted WiFi. Disable cloud features if local-only operation is acceptable. Verify that HTTPS/TLS is enforced for all app-to-cloud communications in device settings. References: https://www.ezviz.com/inter/trust-center/security/security-notice/2026.05.08 and https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-cloud-function-modules-of-some-hikvisk/
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28907
GHSA-5xjc-rg5p-8xgc