Over 80,000 Hikvision Cameras With an Critical Exploited Vulnerability Exposed Online

CYFIRMA researchers discovered over 80,000 Hikvision cameras online exposed with a previously exploited vulnerability.

The security cameras belonging to over 2,300 organizations in 100 countries contained a flaw tracked as CVE-2021-36260 that HikVision had provided firmware updates in September 2021.

The vulnerability discovered by security experts identified as “Watchful IP” affects various Hikvision camera products. The easily-exploitable critical vulnerability with a CVSS v3 score of 9.8 had been exploited twice by various threat actors in October 2021 and February 2022. In December 2021, Mirai botnet operators also enrolled vulnerable devices into their ‘Moobot’ campaign to execute DDoS attacks.

Hikvision Digital Technologies, or “Hikvision,” is a Chinese manufacturer of consumer and military surveillance cameras. Additionally, the company manufactures other IoT products for education, retail, and industry, including critical infrastructure.

The top users of vulnerable Hikvision cameras are China (12,700), the U.S. (10,611), and Vietnam (7,300). The U.K., Ukraine, Thailand, South Africa, France, Netherlands, and Romania also have exposed instances of vulnerable Hikvision camera products.

Adversaries could leverage exploited vulnerability in Hikvision cameras for cyber warfare

The command injection vulnerability impacts Hikvision’s web server due to insufficient input validation. Subsequently, a threat actor could exploit the vulnerability by sending messages with malicious commands to a vulnerable Hikvision camera product.

According to the security expert who discovered the exploited vulnerability, the flaw does not require user interaction.

CYFIRMA has observed threat actors collaborating on underground forums to exploit the vulnerability. Similarly, Russian hackers were trading in stolen passwords of Hikvision cameras, expanding the attack surface. Many stolen passwords originate from using default credentials that aren’t updated after installing Hikvision cameras.

“Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale,” the firm stated.

Chinese hackers such as MISSION2025/APT41, APT10, and their…