This threat involves coordinated cyber operations by Iranian-linked threat actors targeting IP cameras manufactured primarily by Hikvision and Dahua across the Middle East. Beginning in early 2026, and intensifying during periods of heightened geopolitical tension and military conflict, these actors exploited multiple known vulnerabilities including CVE-2017-7921 (improper authentication in Hikvision firmware), CVE-2021-36260 (command injection in Hikvision web server), CVE-2023-6895 (OS command injection in Hikvision intercom system), CVE-2025-34067 (unauthenticated remote code execution in Hikvision security platform), and CVE-2021-33044 (authentication bypass in Dahua products). The attackers used commercial VPN exit nodes and VPS infrastructure to scan and exploit exposed devices, focusing exclusively on these two vendors. The compromised cameras provide real-time visual intelligence supporting Iranian military operations such as battle damage assessment and target correction during missile strikes, as evidenced during the June 2025 conflict and ongoing hostilities. The targeting aligns with missile activity and key geopolitical events, including airspace closures and military visits. The attackers’ ability to remotely access and control cameras enables them to monitor sensitive locations, gather intelligence, and potentially influence kinetic operations. The threat underscores the convergence of cyber and physical warfare, where cyber intrusions directly support military objectives. Despite patches being available for all exploited vulnerabilities, many devices remain exposed due to poor security hygiene, default credentials, and lack of network segmentation. The threat actors’ infrastructure and tactics demonstrate a persistent and strategic campaign leveraging cyber tools to augment physical conflict capabilities.

The impact of this threat is significant for organizations and governments in the Middle East, particularly those relying on IP cameras for security, surveillance, and operational awareness. Compromise of these devices undermines confidentiality by exposing sensitive visual data to adversaries, integrity by allowing manipulation or disabling of surveillance feeds, and availability by potentially disrupting camera functionality. Militarily, the ability to conduct real-time battle damage assessment and target correction enhances the effectiveness of missile strikes and kinetic operations, increasing the risk of collateral damage and escalation. For civilian infrastructure, compromised cameras can lead to privacy violations, loss of situational awareness, and potential physical security breaches. The widespread targeting across multiple countries indicates a broad operational scope, affecting critical infrastructure and government facilities. The use of known vulnerabilities suggests that many organizations have not adequately patched or secured their devices, amplifying the risk. The threat also highlights the risk of cyber operations directly influencing physical conflict outcomes, raising concerns about escalation and regional stability. Organizations face reputational damage, operational disruption, and potential physical harm due to these cyber-enabled kinetic effects.

1. Eliminate public exposure of IP cameras and network video recorders (NVRs) by removing direct WAN access; place devices behind VPNs or zero-trust access gateways to restrict access. 2. Enforce strong, unique credentials for all devices; immediately change default passwords and implement credential management policies. 3. Apply all available security patches and firmware updates from manufacturers promptly; replace or decommission end-of-life devices that no longer receive security updates. 4. Implement strict network segmentation by isolating cameras on dedicated VLANs with no lateral movement to corporate or operational technology (OT) networks; tightly control outbound traffic to only necessary update or cloud endpoints. 5. Deploy continuous monitoring and detection mechanisms to identify repeated login failures, unexpected remote access, and unusual outbound connections from cameras. 6. Conduct regular vulnerability assessments and penetration testing focused on IP camera infrastructure. 7. Maintain threat intelligence feeds to track emerging attack infrastructure and indicators of compromise linked to Iranian threat actors. 8. Train security teams and relevant personnel on the risks and signs of IP camera compromise, emphasizing the operational impact in conflict zones. 9. Collaborate with vendors to ensure timely patching and receive security advisories. 10. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts against known vulnerabilities in IP cameras.