Some Hikvision Wireless Access Points allow attackers who possess valid credentials to send specially crafted packets that include malicious commands. The insufficient validation of input data enables arbitrary command execution on the affected devices, potentially giving attackers full control over the device functions and networks they manage. This flaw can be exercised as a command injection vulnerability, classified as CWE‑78, allowing a remote authenticated attacker to execute any commands supported by the device operating system.

Hikvision models DS‑3WAP521‑SI, DS‑3WAP522‑SI, DS‑3WAP621E‑SI, DS‑3WAP622E‑SI, DS‑3WAP622G‑SI, and DS‑3WAP623E‑SI are known to be affected. The vulnerability applies to firmware versions that have not yet been patched by Hikvision as described in their cybersecurity advisory.

The CVSS score of 7.2 highlights a high severity risk, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild at present. The vulnerability is not listed in CISA’s KEV catalog, which suggests that it is not tied to an active, publicly known exploit. However, because the flaw requires authentication, any compromised account or weak default credential could provide an attacker immediate local or remote control, depending on network configuration. The attack vector is likely restricted to an authenticated user; an attacker who can gain legitimate access to the device’s management interface can trigger the vulnerability simply by sending crafted network packets.