Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.
AnalysisAI
Hikvision Hik-Connect App fails to enforce strict directory access permissions, allowing other locally-installed applications to read sensitive information stored by the app on the device filesystem. The vulnerability requires local access and high attack complexity but poses information disclosure risk to users with multiple apps on the same device. No public exploit or active exploitation has been identified; CVSS score of 2.9 reflects the local-only attack vector and limited confidentiality impact.
Technical ContextAI
The vulnerability stems from inadequate filesystem permission controls on directories and files used by the Hik-Connect mobile application. Rather than a cryptographic or protocol-level flaw, this is a configuration/implementation issue where the app stores sensitive data (likely authentication tokens, user credentials, or personal information) in filesystem locations that are readable by other applications running under different user contexts or with elevated privileges on the same device. This is classified as an information disclosure vulnerability (CWE not specified but likely CWE-276: Incorrect Default Permissions or CWE-377: Insecure Temporary File). The attack surface is constrained to local access on the device where Hik-Connect is installed-typically a smartphone or tablet.
RemediationAI
Hikvision should update the Hik-Connect App to a patched version that enforces strict directory permissions (mode 0700 or equivalent platform-specific private storage) on all directories and files containing sensitive data, and ensures the app uses platform-provided secure storage mechanisms (Android KeyStore on Android, Keychain on iOS). Users should immediately update the Hik-Connect App through their device's official app store to receive the security patch once released. As a compensating control pending patching, users should avoid installing untrusted third-party applications on devices running Hik-Connect, and should review and restrict permissions granted to other installed apps (particularly file system access permissions). Additionally, users should disable any non-essential APIs or debug modes in Hik-Connect if available. Note that these compensating controls do not eliminate the vulnerability but reduce the likelihood of exploitation by limiting the attack surface.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29447
GHSA-76rw-6xcg-jrh4