CVE-2020-7057

Name of the Vulnerable Software and Affected Versions Hikvision DVR DS-7204HGHI-F1 version 4.0.1 build 180903

Description The issue allows an attacker to potentially enumerate user accounts by analyzing the different responses received for failed login attempts to the ISAPI/Security/sessionLogin/capabilities endpoint, depending on whether the user account exists. The system only allows about 4 or 5 failed login attempts.

Recommendations For Hikvision DVR DS-7204HGHI-F1 version 4.0.1 build 180903, consider restricting access to the ISAPI/Security/sessionLogin/capabilities endpoint to minimize the risk of user enumeration. As a temporary workaround, limit the number of allowed failed login attempts to prevent brute-force attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.