What happened

CISA added CVE-2017-7921 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-03-05, signaling confirmed in-the-wild abuse of this flaw CISA KEV. The vulnerability is an Improper Authentication issue (CWE-287) affecting multiple Hikvision products, enabling attackers to escalate privileges and access sensitive information NVD entry. MITRE’s record tracks the same CVE identifier and classifies the weakness in alignment with CWE-287 for authentication failures MITRE CVE record. CISA set a remediation due date of 2026-03-26 for this entry in the KEV, underscoring urgency for organizations to mitigate or remove exposure CISA KEV.

Why it matters

Improper authentication on edge devices lets adversaries bypass normal checks and operate with elevated rights, creating a direct path to sensitive data on the device NVD entry. When the vulnerability exists across “Multiple Products,” defenders face a broader asset discovery and patching problem, often spanning diverse firmware baselines and operational constraints CISA KEV. KEV inclusion means the vulnerability is actively exploited and should be prioritized ahead of non-KEV issues in patch queues and risk workflows CISA KEV. Because the root class is CWE-287, compensating controls must focus on strengthening identity validation paths and eliminating unauthenticated privilege transitions on these devices MITRE CVE record.

Technical detail

CVE-2017-7921 is mapped to CWE-287 (Improper Authentication), a class where the system fails to verify the user or service identity before granting access or permissions NVD entry. For Hikvision “Multiple Products,” that failure enables an attacker to escalate privileges, which expands their operational reach on the device beyond what an unauthenticated or low-privilege context would allow NVD entry. The same flaw can expose sensitive information resident on the device, which in the surveillance context can include configuration data or other protected outputs NVD entry.

CISA’s KEV listing confirms observed exploitation and mandates time-bounded remediation, a strong indicator that real-world adversaries find the vulnerability reliable and valuable in campaigns CISA KEV. The MITRE CVE record corroborates the identity and classification of the vulnerability, ensuring consistent tracking across vulnerability management systems and SBOM workflows MITRE CVE record. Given the defect’s authentication nature, exploitation paths typically involve interacting with exposed device interfaces where identity checks are expected but fail, aligning with the CWE-287 pattern NVD entry.

Defense

CISA’s required action for this KEV item is explicit: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. Prioritize any Hikvision systems tagged by asset management or vuln scanners as affected by CVE-2017-7921 and track closure against the KEV due date of 2026-03-26 CISA KEV. Where immediate patching or replacement is infeasible, enforce strict access to device management interfaces and authenticate all administrative actions, aligning compensating controls to the CWE-287 weakness class NVD entry.

For governance and reporting, register CVE-2017-7921 in your org’s KEV watchlist to ensure heightened SLAs and automated escalations until remediated CISA KEV. Ensure your vulnerability intelligence pipeline correlates the CVE to CWE-287 so engineering teams can apply systemic fixes that harden authentication boundaries across similar devices and services MITRE CVE record. When validating mitigations, test for removal of privilege escalation and verify that sensitive information is no longer accessible via the previously affected paths NVD entry.

Lyrie Verdict

This is an identity-bypass class on edge devices that adversaries are already exploiting, per CISA’s KEV inclusion and remediation mandate CISA KEV. Human ticket queues won’t keep pace when an automated adversary can sweep camera fleets and trigger unauthenticated privilege paths in seconds NVD entry. Lyrie’s position: treat IP cameras and similar embedded systems as machine-speed battlegrounds. Deploy autonomous detection that fingerprints device authentication flows, flags privilege transitions without valid identity proofs, and isolates compromised nodes the moment anomalous elevation or sensitive-data access is observed, closing the gap between exploit and containment at machine speed MITRE CVE record.