Skip to main content

EZVIZ App CVE-2026-32683

| EUVDEUVD-2026-28907 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-09 hikvision GHSA-5xjc-rg5p-8xgc
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 09, 2026 - 09:15 vuln.today
CVE Published
May 09, 2026 - 08:29 nvd
MEDIUM 5.3

DescriptionCVE.org

Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature.

AnalysisAI

EZVIZ App versions using legacy cloud feature modules with outdated API interfaces allow attackers to eavesdrop on network traffic and disclose sensitive video data. The vulnerability requires adjacent network access and high exploitation complexity, but affects all EZVIZ App versions until patched. Attackers can obtain video transmission data without authentication or user interaction by intercepting unencrypted or weakly encrypted API communications.

Technical ContextAI

EZVIZ App integrates cloud feature modules with legacy API interfaces that transmit data over the network without sufficient encryption or authentication protections. The vulnerability stems from the use of older, deprecated API designs that were not hardened against network eavesdropping attacks. The CWE is not specified in available data, but the core issue is improper use of cryptography (likely CWE-327 or CWE-522) combined with insufficient transport security for sensitive video metadata or credentials. The CPE indicates all versions of EZVIZ App across all platforms are potentially affected until updates are deployed.

RemediationAI

Upgrade EZVIZ App to the latest available version from the official EZVIZ app store or Hikvision support portal; exact patched version number is not specified in available advisory data, so users should install the newest release available. Immediately enable the video encryption feature within EZVIZ App settings to protect data in transit - this is the critical compensating control even after upgrade, as it mitigates eavesdropping on API communications. For users unable to upgrade immediately, restrict EZVIZ App access to trusted networks only (home WiFi with WPA2/WPA3 security, corporate VPN) and avoid public or untrusted WiFi. Disable cloud features if local-only operation is acceptable. Verify that HTTPS/TLS is enforced for all app-to-cloud communications in device settings. References: https://www.ezviz.com/inter/trust-center/security/security-notice/2026.05.08 and https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-cloud-function-modules-of-some-hikvisk/

Share

CVE-2026-32683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy