By rssfeeds-admin .webp?ssl=1 "Threat Actors Intensify Targeting of IP Cameras Across Middle East Amid Ongoing Conflict")
Since late February 2026, a coordinated campaign to compromise internet-connected IP cameras has been underway across multiple countries in the region, raising serious concerns about how cyber operations are being actively used to support physical military activity.
The campaign was first observed beginning February 28, 2026, with a sharp spike in exploitation attempts targeting IP cameras in Israel, the United Arab Emirates, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus.
The attack activity originated from infrastructure linked to Iran-nexus threat actors, using commercial VPN exit nodes — including Mullvad, ProtonVPN, Surfshark, and NordVPN — alongside virtual private servers to mask their true origins.
The scale and timing of these attacks are far from random. Earlier activity was also recorded on January 14–15, coinciding precisely with a period when Iran closed its airspace amid fears of a potential U.S. military strike.
Check Point Research analysts identified these targeting patterns through continuous monitoring of Iran-linked infrastructure and noted that spikes in camera exploitation consistently aligned with major geopolitical events.
The activity on January 24, for instance, coincided with a visit by the U.S. Central Command commander to Israel for high-level meetings with the Israel Defense Forces chief of staff.
By early February, as Iran’s leadership grew increasingly worried about a possible U.S. strike and IRGC-linked messaging warned that such an action could trigger a wider regional war, exploitation attempts saw another clear and documented surge.
The primary targets are devices made by two of the world’s most widely deployed camera manufacturers: Hikvision and Dahua. Both brands are routinely installed in public areas, critical infrastructure sites, and commercial buildings across the region.
Their widespread presence makes them high-value targets for actors seeking real-time visual intelligence. Notably, no exploitation attempts from this infrastructure were directed at cameras from any other manufacturer.
The implications of this campaign go well beyond typical cyber espionage. During the 12-day conflict between Israel and Iran in June 2025, camera compromise was likely used to support battle damage assessment and target correction.
A particularly chilling example involved Iran’s missile strike on Israel’s Weizmann Institute of Science — Iranian actors reportedly took control of a street-facing camera near the building just before the missile hit. Taken together, these findings point to camera compromise functioning as a direct operational tool in kinetic warfare.
Exploiting Known Vulnerabilities in Widely Deployed Devices
Check Point Research’s analysis specifically mapped five known vulnerabilities being targeted across Hikvision and Dahua devices.
CVE-2017-7921 is an improper authentication flaw in Hikvision camera firmware; CVE-2021-36260 is a command injection vulnerability in Hikvision’s web server component.
CVE-2023-6895 targets an OS command injection flaw in the Hikvision Intercom Broadcasting System, while CVE-2025-34067 — the most recently disclosed — is an unauthenticated remote code execution vulnerability in Hikvision’s Integrated Security Management Platform. CVE-2021-33044 rounds out the list as an authentication bypass affecting multiple Dahua products.
Patches are available from the manufacturers for all five vulnerabilities. Despite this, many devices remain unpatched and directly accessible from the internet, creating easy entry points.
Exploitation waves against Israel and Qatar were the sharpest, but Bahrain, Kuwait, the UAE, Cyprus, and Lebanon each recorded measurable activity as well.
Targeted Vulnerabilities in Hikvision and Dahua Cameras:-
| CVE ID | Affected Vendor | Vulnerability Type | Description |
|---|---|---|---|
| CVE-2017-7921 | Hikvision | Improper Authentication | Authentication flaw in Hikvision IP camera firmware |
| CVE-2021-36260 | Hikvision | Command Injection | Command injection in Hikvision web server component |
| CVE-2023-6895 | Hikvision | OS Command Injection | OS command injection in Hikvision Intercom Broadcasting System |
| CVE-2025-34067 | Hikvision | Remote Code Execution | Unauthenticated RCE in Hikvision Integrated Security Management Platform |
| CVE-2021-33044 | Dahua | Authentication Bypass | Authentication bypass affecting multiple Dahua products |
Organizations operating IP cameras and surveillance systems across the region should take immediate action to reduce their exposure.
Camera systems and NVR devices should be removed from direct internet access and placed behind a VPN or zero-trust access gateway, eliminating the direct attack surface.
Default credentials must be replaced with strong, unique passwords across all devices. Firmware and management software should be updated regularly, and end-of-life devices that no longer receive security patches should be retired or replaced.
Cameras should be placed on isolated VLANs, with outbound traffic limited to necessary endpoints only. Security teams should actively monitor for repeated login failures, unexpected remote access, and unusual outbound connections from camera systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Threat Actors Intensify Targeting of IP Cameras Across Middle East Amid Ongoing Conflict appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.