This tool is a Python proof‑of‑concept to test Hikvision wireless access points for CVE‑2026‑0709, an authenticated command injection vulnerability that can lead to remote code execution on affected devices.
For security testing and research on systems you own or are explicitly authorized to assess only.
CVE‑2026‑0709 is an authenticated vulnerability: the attacker must log in with valid credentials, then send a specially crafted request to a vulnerable endpoint on the Hikvision wireless AP. If the device is vulnerable, unsanitized input is passed to the underlying operating system, allowing arbitrary command execution under the device’s service account.
This script:
- Authenticates to the device with provided credentials.
- Sends an HTTP request to the vulnerable endpoint with an injected command.
- Displays the HTTP response so you can verify whether the command appears to have executed.
The script is written as a template: you must fill in the real endpoint path, parameter name, and login logic according to the official vendor advisory or a public proof‑of‑concept.
- Command‑line interface for easy use in labs and pipelines.
- Supports HTTP or HTTPS and custom port.
- Uses a session to perform:
- Login with username/password.
- One or more exploit requests with custom commands.
- Prints raw HTTP response for manual analysis.
- Python 3.8+
- Python packages:
requests
Install dependencies:
pip install requestsAssume the script is saved as hikvision_cve_2026_0709.py.
python hikvision_cve_2026_0709.py \
--host 192.168.1.50 \
--port 80 \
--user admin \
--password MyStrongPassword \
--cmd "id"python hikvision_cve_2026_0709.py \
--host ap.example.local \
--port 443 \
--https \
--user admin \
--password MyStrongPassword \
--cmd "uname -a"--host (required): Target AP IP or hostname.
--port (optional): Target port (default: 80).
--https (flag): Use HTTPS instead of HTTP.
-u, --user (required): Username for login.
-p, --password (required): Password for login.
--cmd (optional): Command to execute on the device (default: id).
The script will:
Build the base URL from host, port, and scheme (HTTP/HTTPS).
Authenticate with the supplied credentials.
Send a payload where one parameter contains an injected shell sequence (for example 127.0.0.1; id;).
Print the HTTP status code and the response body.
This repository does not hard‑code any Hikvision‑specific endpoint or parameter. You must update the script to match the real details of CVE‑2026‑0709:
Authentication function
In authenticate(...), replace the placeholder login logic with the real one:
If the device uses a form‑based login, adjust the URL and form fields (e.g. /login, user, pwd).
If it uses HTTP basic authentication, you may not need a separate login request; instead, configure the session to use basic auth.
Vulnerable endpoint
In exploit_command_injection(...), set:
vuln_path to the actual path (for example, an API or diagnostic endpoint).
The parameter key (for example host, address, command) to the one that is vulnerable.
The exact HTTP method (GET or POST) and body/headers as described in the advisory.
Command output
Depending on how the device behaves:
The response may contain the command output directly.
Or it may show only a generic status, and you must infer success via side effects (e.g., new file, network callback).
Adjust your parsing logic accordingly if you want to automatically detect success.
Read the official vendor advisory / technical write‑up for CVE‑2026‑0709.
Identify:
Endpoint URL (path).
Vulnerable parameter.
Required authentication method.
Edit the script:
Update authenticate() with correct login path and fields.
Update exploit_command_injection() with correct path and parameter name.
Run the script in a lab against a test device.
Check the response for evidence of command execution (e.g., output of id or uname -a).
- Use this tool only on devices and networks where you have explicit permission.
- Unauthorized testing or exploitation may violate local laws and regulations.
- The authors and maintainers of this code are not responsible for misuse, damage, or legal consequences resulting from its use.
This PoC is provided for educational, research, and defensive security purposes. It is not a production‑grade exploit or scanner. You should thoroughly review and test the code, and always follow your organization’s security policies and legal requirements.