Description
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
Published: 2026-01-30
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file modification by authenticated users due to insufficient access controls
Action: Apply Firmware
AI Analysis

Impact

The flaw exists in certain HIKSEMI HS-AFS-S1H1 NAS devices, where the access control mechanisms are inadequate for file resource operations. Authenticated users can modify or delete files belonging to other users, which can compromise the confidentiality, integrity, and availability of data stored on the device.

Affected Systems

Affected devices are the HIKSEMI HS-AFS-S1H1 NAS series. No specific firmware version numbers are listed, so the vulnerability may be present across all current releases. Administrators should verify the firmware version currently in use and consult vendor advisories for patch information.

Risk and Exploitability

The CVSS score of 4.3 signals a moderate risk level, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not included in CISA's KEV catalog, yet it requires an attacker to have valid credentials, as the flaw is confined to authenticated users; based on the description, it is inferred that a compromised account is a prerequisite for exploitation.

Generated by OpenCVE AI on April 18, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HS-AFS-S1H1 NAS firmware to the latest version supplied by HIKSEMI that addresses the access control flaw
  • Restrict privileged user accounts and enforce least privilege for file operations to limit the impact of compromised credentials
  • Enable comprehensive logging on the NAS and regularly review access logs for suspicious file modification activity
  • Consider segmenting the network to isolate the NAS from untrusted or remote connections, reducing the attack surface

Generated by OpenCVE AI on April 18, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Inadequate Access Control Enables Authenticated Users to Modify Files on HIKSEMI NAS

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Hiksemi
Hiksemi hs-afs-s1h1
Vendors & Products Hiksemi
Hiksemi hs-afs-s1h1

Fri, 30 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
Description Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hiksemi Hs-afs-s1h1
cve-icon MITRE

Status: PUBLISHED

Assigner: hikvision

Published:

Updated: 2026-02-27T14:44:15.585Z

Reserved: 2026-01-08T05:37:27.997Z

Link: CVE-2026-22624

cve-icon Vulnrichment

Updated: 2026-01-30T12:44:13.143Z

cve-icon NVD

Status : Deferred

Published: 2026-01-30T11:15:55.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses