{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22624", "assignerOrgId": "da451dce-859b-4e51-8b87-9c8b60d19b32", "state": "PUBLISHED", "assignerShortName": "hikvision", "dateReserved": "2026-01-08T05:37:27.997Z", "datePublished": "2026-01-30T11:03:02.811Z", "dateUpdated": "2026-02-27T14:44:15.585Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization."}], "affected": [{"vendor": "HIKSEMI", "product": "HS-AFS-S1H1", "versions": [{"version": "V5.10.10_Build_251126", "status": "affected"}]}], "references": [{"url": "https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html"}], "credits": [{"lang": "en", "value": "Jincheng Wang", "type": "finder"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "providerMetadata": {"orgId": "da451dce-859b-4e51-8b87-9c8b60d19b32", "shortName": "hikvision", "dateUpdated": "2026-01-30T11:03:02.811Z"}, "x_generator": {"engine": "cveClient/1.0.15"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "CWE-863 Incorrect Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T12:43:48.203961Z", "id": "CVE-2026-22624", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T14:44:15.585Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22624", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T12:43:48.203961Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T12:44:13.143Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Jincheng Wang"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HIKSEMI", "product": "HS-AFS-S1H1", "versions": [{"status": "affected", "version": "V5.10.10_Build_251126"}]}], "references": [{"url": "https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html"}], "x_generator": {"engine": "cveClient/1.0.15"}, "descriptions": [{"lang": "en", "value": "Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization."}], "providerMetadata": {"orgId": "da451dce-859b-4e51-8b87-9c8b60d19b32", "shortName": "hikvision", "dateUpdated": "2026-01-30T11:03:02.811Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22624", "state": "PUBLISHED", "dateUpdated": "2026-02-27T14:44:15.585Z", "dateReserved": "2026-01-08T05:37:27.997Z", "assignerOrgId": "da451dce-859b-4e51-8b87-9c8b60d19b32", "datePublished": "2026-01-30T11:03:02.811Z", "assignerShortName": "hikvision"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization."}, {"lang": "es", "value": "Debido a un control de acceso inadecuado, los usuarios autenticados de ciertos productos NAS de HIKSEMI pueden manipular los recursos de archivo de otros usuarios sin la debida autorizaci\u00f3n."}], "id": "CVE-2026-22624", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "hsrc@hikvision.com", "type": "Secondary"}]}, "published": "2026-01-30T11:15:55.780", "references": [{"source": "hsrc@hikvision.com", "url": "https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html"}], "sourceIdentifier": "hsrc@hikvision.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:29:21.913112+00:00", "value": {"mitigation_remediation": ["Upgrade the HS-AFS-S1H1 NAS firmware to the latest version supplied by HIKSEMI that addresses the access control flaw", "Restrict privileged user accounts and enforce least privilege for file operations to limit the impact of compromised credentials", "Enable comprehensive logging on the NAS and regularly review access logs for suspicious file modification activity", "Consider segmenting the network to isolate the NAS from untrusted or remote connections, reducing the attack surface"], "summary": {"action": "Apply Firmware", "impact": "Unauthorized file modification by authenticated users due to insufficient access controls"}, "threat_synthesis": {"affected_systems": "Affected devices are the HIKSEMI HS-AFS-S1H1 NAS series. No specific firmware version numbers are listed, so the vulnerability may be present across all current releases. Administrators should verify the firmware version currently in use and consult vendor advisories for patch information.", "description_and_impact": "The flaw exists in certain HIKSEMI HS-AFS-S1H1 NAS devices, where the access control mechanisms are inadequate for file resource operations. Authenticated users can modify or delete files belonging to other users, which can compromise the confidentiality, integrity, and availability of data stored on the device.", "risk_and_exploitability": "The CVSS score of 4.3 signals a moderate risk level, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not included in CISA's KEV catalog, yet it requires an attacker to have valid credentials, as the flaw is confined to authenticated users; based on the description, it is inferred that a compromised account is a prerequisite for exploitation."}}}}, "created": "2026-02-02T09:27:51.419523+00:00", "title": "Inadequate Access Control Enables Authenticated Users to Modify Files on HIKSEMI NAS", "updated": "2026-04-18T14:30:02.948678+00:00", "vendors": ["hiksemi", "hiksemi$PRODUCT$hs-afs-s1h1"]}