Hikvision NVR creates "ngtest" backdoor user on managed camera's

CPM

n3wb
Aug 22, 2024
10
3
Netherlands
I have a DS-7616NXI-I2/16P/S NVR with firmware V5.04.066 build 250620 (latest).
I have connected multiple Hikvision camera's through LAN and PoE.
When i go to the webinterface of the "NVR->Device Access->Device->Video Device->Operation->Go" to manage the camera itself through the NVR it creates a user called "ngtest" on the camera. When you close the window the user remains on the camera. It does this on any Hikvision camera (LAN and PoE).

It is possible to remove the user on the camera directly but when you use the "Operation" option on the NVR the user gets created again. It is not possible to remove the user from the camera when you use the Operation function from the NVR. It's impossible to remove the user within camera's that are connected through the PoE ports of the NVR itself.
When you manually create the "ngtest" user on the camera as a normal user with any permission, and afterwards manage it through the Operation function from the NVR the user gets overwritten and gets all the permissions that you can see on the screenshot below. After you manage the camera throughe NVR you cannot log in with the "ngtest" user, even when you change the password of that users on the camera itself.

Here are some screenshots (some in dutch) but you can see whats happening. The users also pops-up in the online user list from the camera itself.

The front windows is the pop-up window when you manage a the camera from the NVR (it's the camera that you manage) .255 is the IP of the NVR, The window behind it (dutch) is the webinterface directly from the camera itself, showing the created users and the local admin.

HikUser3e.JPG


This is the online users list when accessing the camera directly, it is showing the "ngtest" user as "online".

HikUser4.JPG

These are the permissions the user has on the camera itself:

HikUser2.JPG

I find this disturbing and cannot find any documentation of this "feauture". This shouldn't happen and in my opinion is a security issue. Especially when the camera is accessible from the internet.

Somebody familiar with this?

PS: i already informed Hikvision support, but haven't got an response jet.
 
Last edited:
When i go to the webinterface of the "NVR->Device Access->Device->Video Device->Operation->Go" to manage the camera itself through the NVR it creates a user called "ngtest" on the camera. When you close the window the user remains on the camera. It does this on any Hikvision camera (LAN and PoE).
Fascinating!
It sounds like a programmer has carelessly left in some test code in the firmware.
I can see some security researchers exploring this to see if it can be exploited.
 
This is virtualhost in action. The only problem is ngtest shouldnt be there. Usually virtual host uses default channel password/ admin password to open up settings on camera.

New firmware v5+ can start virtual host on configuration click, its not located in network -> others anymore. So perhaps it works bit different?

Still cool find, will check it out myself
 
This is virtualhost in action. The only problem is ngtest shouldnt be there. Usually virtual host uses default channel password/ admin password to open up settings on
Unless it's totally changed in the new firmware, virtual host usually just provides a NATted access to the camera IP address without using any logon credentials.
It's then up to the user to decide how to log in.
 
Well, out of the box connection right into the NVR PoE port it creates that user. No first admin password setup with security questions or whatsoever. Let that settle in for a moment en think about how that is programed in the software.

If you do the initial connection through the NVR and afterwards want to plug in the camera to normal LAN you cannot login with the admin account. Factory reset is your only option.

Haven't further tested this but that's what happened to me the first time, but I wasn't aware of it that moment. I thought they gave me a used camera because there already was a user in it (ngtest) but didn't understand why it was possible to see that users in the camera through the NVR. Connected it through LAN manage it with SADP tool but it was impossible because I couldn't log in with the admin account and didn't got the initial setup.
 
Last edited: