HIKVISION has rolled out a critical firmware update for its DS-3WAP wireless access points to close a high-severity vulnerability that could allow attackers to hijack devices from the inside. The flaw, tracked as CVE-2026-0709, carries a CVSS score of 7.2 and stems from insufficient input validation, enabling an authenticated attacker to execute arbitrary code by sending crafted packets.
The advisory notes that the issue leads directly to arbitrary command execution, potentially allowing an intruder to intercept traffic, pivot to other devices, or disrupt wireless services. The vulnerability affects a wide range of Hikvision’s DS-3WAP series access points running firmware version V1.1.6303 build250812 and earlier, including models DS-3WAP521-SI, DS-3WAP522-SI, DS-3WAP621E-SI, DS-3WAP622E-SI, and DS-3WAP623E-SI, with a unified fix released to Version V1.1.6601 build251223. According to Hikvision, administrators should update immediately to close the attack vector. The article was published on 3 February 2026.