Tens of Thousands of Surveillance Cameras Still Unpatched
Despite a critical vulnerability being publicly disclosed nearly a year ago, more than 80,000 Hikvision surveillance cameras remain unpatched and exposed to remote exploitation, according to new research. The flaw — a command injection vulnerability tracked as CVE-2021-36260 — received a severity score of 9.8 out of 10 from NIST and continues to put thousands of organizations at risk.
Hikvision, short for Hangzhou Hikvision Digital Technology, is a Chinese state-owned manufacturer of video surveillance systems used in over 100 countries. Although the U.S. Federal Communications Commission designated Hikvision an “unacceptable risk to national security” in 2019, the brand’s devices remain widely deployed — including within the United States.
Exploit Activity Observed on Dark Web Forums
The original vulnerability, revealed last fall, allows attackers to execute arbitrary commands on affected devices. Since then, researchers have identified ongoing interest in exploiting this flaw, particularly on Russian-language dark web forums, where leaked credentials and hacker collaborations have surfaced.
The full extent of exploitation remains unknown, but researchers speculate that Chinese APT groups like MISSION2025/APT41 and APT10, as well as unidentified Russian threat actors, could leverage this vulnerability to support geopolitical or espionage-related objectives.
Structural Weaknesses in Hikvision and IoT Security
Security experts suggest that Hikvision’s security posture is part of a larger systemic problem in the IoT ecosystem. David Maynor, senior director of threat intelligence at Cybrary, noted that Hikvision products often contain “easy to exploit systemic vulnerabilities” and are difficult to audit after compromise.
“There is no good way to perform forensics or verify that an attacker has been excised. Furthermore, we have not observed any change in Hikvision’s posture to signal an increase in security within their development cycle.”
Update Challenges in the IoT Ecosystem
Part of the issue lies in how IoT devices handle software updates — or don’t. Unlike smartphones or laptops, many IoT devices lack automated patching mechanisms. Paul Bischoff, a privacy advocate at Comparitech, emphasized that these devices often require users to manually apply updates, and users may never be notified that a fix is available.
“IoT devices might not give users any indication that they’re unsecured or out of date. Whereas your phone will alert you when an update is available, IoT devices do not offer such conveniences.”
Hikvision’s reliance on default passwords further exacerbates the risk. Many of their cameras ship with preset credentials, and in many cases, users fail to change them — leaving devices wide open to exploitation.
A Growing Attack Surface With No Clear Resolution
With vulnerabilities still actively being scanned using tools like Shodan and Censys, cybercriminals can easily identify unprotected devices. The combination of poor patch adoption, weak credentials, and limited user awareness creates a vast and enduring attack surface.
Experts agree: without proactive updates and systemic reform in IoT security practices, tens of thousands of Hikvision cameras will likely remain vulnerable for the foreseeable future — a lingering threat to global organizations and national infrastructures alike.
