Remote attackers can steal valid authentication session identifiers of Hikvision Access Control/Intercom Products. This is possible because a remote attacker can create a session identifier without restrictions. If an attacker requests a session ID at the same time as a valid user, the attacker receives the identical session ID. This session ID is immediately recognized as valid after successful authentication of the correct user.
advisories | CVE-2023-28809
