CVE-2023-28809 Information

Description

Some access control products are vulnerable to a session hijacking attack because the product does not update the session ID after a user successfully logs in. To exploit the vulnerability attackers have to request the session ID at the same time as a valid user logs in and gain device operation permissions by forging the IP and session ID of an authenticated user.

Reference

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-access-control-intercom/