Iran-linked Hikvision and Dahua surveillance camera targeting campaign
Campaign
Summary
Hide ▲
Show ▼
A coordinated campaign is targeting Hikvision and Dahua surveillance cameras across the Middle East, increasing the risk that compromised devices could support military planning and reconnaissance. The activity is linked to Iranian threat infrastructure and intensified on February 28, with additional targeting in Lebanon on March 1. The operation relies on commercial VPN exit nodes and virtual private servers and scans for known flaws such as CVE-2021-33044 and CVE-2017-7921. Patches exist, but exposed cameras remain attractive reconnaissance targets.
Related Happenings
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
**CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Iran-linked proxy cyber-physical device scanning campaign
Campaign
H score35
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...
Iran-linked proxy cyber-physical device scanning campaign
CampaignAbout this happening: Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...
Iran's network of traffic cameras hit by cyberattack
Incident
H score23
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Iran's network of traffic cameras hit by cyberattack
IncidentAbout this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Iran MOIS embeds cybercriminal services into offensive operations
Threat Actor Meta
H score20
First: 12.03.2026 23:11
Last: 12.03.2026 23:11
Sources 1
About this happening:
**Iran's MOIS** is increasingly using the **cybercriminal underground** to support offensive operations, making attribution harder and raising the risk of **destructive activity**...
Iran MOIS embeds cybercriminal services into offensive operations
Threat Actor MetaAbout this happening: **Iran's MOIS** is increasingly using the **cybercriminal underground** to support offensive operations, making attribution harder and raising the risk of **destructive activity**...
Hikvision and Dahua camera exploitation wave (active targeting)
Exploitation Wave
H score8
First: 06.03.2026 16:01
Last: 06.03.2026 16:01
Sources 1
How related:
The bugs they use include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895 for Hikivision ; and CVE-2025-34067 and CVE-2021-33044 in the case of Dahua.
About this happening:
An **active exploitation wave** is targeting **Hikvision** and **Dahua IP cameras**, using multiple authentication and command-related flaws to compromise exposed devices. The wav...
Hikvision and Dahua camera exploitation wave (active targeting)
Exploitation WaveHow related: The bugs they use include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895 for Hikivision ; and CVE-2025-34067 and CVE-2021-33044 in the case of Dahua.
About this happening: An **active exploitation wave** is targeting **Hikvision** and **Dahua IP cameras**, using multiple authentication and command-related flaws to compromise exposed devices. The wav...
Timeline
-
04.03.2026 17:00 1 articles · 4mo ago
Iran-linked Hikvision and Dahua surveillance camera targeting campaign
Initial DisclosureInitial activity centered on **targeted scanning** on **January 14–15**. That early phase coincided with Iranian airspace restrictions and appears to have preceded the broader late-February surge.
Show sources
- Surge in Attacks on Surveillance Cameras Linked to Iranian Hackers — www.infosecurity-magazine.com — 04.03.2026 17:00
-
04.03.2026 02:00 1 articles · 4mo ago
Iran-linked camera targeting expands across the Middle East
Campaign Scope UpdateCheck Point Research reported on March 4 that Iranian threat actors intensified targeting of Hikvision and Dahua IP cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus. The activity used CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044 and was assessed as supporting battle damage assessment and possible follow-on missile activity.
Show sources
- Iran's Cyber-Kinetic War Doctrine Takes Shape — www.darkreading.com — 06.03.2026 16:01