Vista VK2 IP Camera Vulnerability – 28th November 2023

Vista has become aware of vulnerabilities within the VK2 range of IP cameras.

We are currently working extensively with the Development Team to implement firmware updates for prompt resolution.

Details are provided below, including the products of the range and how they are each affected.


Description Severity
1. Ability to inject PHP and modify Admin password to gain access – via user_update.php High
2. Unsupported Web Software: PHP (PHP/7.3.7) Medium
3. Outdated Server Software: Lighttpd (/1.4.39) Medium



VK2 range cameras listed below exhibit the above issues. The latest affected firmware version is also given.

Once a firmware resolution is available for the below cameras, details of the updated version will be provided here. Please check regularly for updates to this announcement.

Model Last Affected Version Fixed Version
VK2-HDX23IR-SMW H_5213_PTZ_v2.6.2.enc TBC
VK2-HDX20-SMW H_5229_PTZ_v1.3.3.enc TBC
VK2-4KX30IR-PM H_7817_PTZ_v1.5.4.enc TBC
VK2L-2MPBIR36 H_1212_v1.3.4.enc TBC
VK2L-2MPTIR36 H_1212_v1.3.4.enc TBC
VK2-2MPXVFDIR28V12M H_5213_v3.7.9.enc TBC
VK2-2MPXVRDIR37 H_5213_v3.7.9.enc TBC
VK2-2MPXVRDIR28V12M H_5213_v3.7.9.enc TBC
VK2-4MPXVRDIR28V12M H_6411_v3.3.8.enc TBC
VK2-4MPXBIR28V12M H_6411_v3.3.8.enc TBC
VK2-4KXVRDIR36V11M H_7816_v2.0.1.enc TBC
VK2-12MP360EXTIR H_7817_Fisheye_v1.5.4.enc TBC


All remaining Vista IP cameras of the VK2 range, essentially those not listed above, exhibit vulnerabilities numbered 2 to 3 only.

Note: they do not exhibit issue 1. inject PHP and modify Admin password to gain access.


These remaining VK2 cameras use older unsupported SOC hardware (System On a Chip) and are no longer supported with later firmware updates.


RECOMMENDATIONS – Recommendations are provided below to minimise impact – these also being “best practices” for any CCTV deployment.

  • Provide a dedicated VLAN/Ethernet network for all CCTV devices so as to be separate from the corporate or customers LAN.


  • Where connectivity between the networks is required, provide a firewall with relevant firewall rules and policies to block all unnecessary source IP addresses and ports.


  • Apply IP whitelists to CCTV devices, such as cameras, to permit only those source IP addresses permitted access i.e. NVR recorder, engineering LAN etc.


  • Make use of HTTPS on any CCTV device, where possible, for web login access.


  • Ensure admin passwords are changed from their default and to something strong.


Please revisit this page to keep updated on firmware resolutions.