Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Over 80,000 Unpatched Hikvision Cameras Exposed to Takeover

Cybersecurity firm Cyfirma has identified more than 80,000 Hikvision cameras that haven’t been patched against a critical code execution vulnerability exploited in the wild.

Cybersecurity firm Cyfirma has identified more than 80,000 Hikvision cameras that haven’t been patched against a critical code execution vulnerability exploited in the wild.

Tracked as CVE-2021-36260, the vulnerability leads to root access and allows an attacker to take full control of a device and potentially compromise the entire network. More than 70 Hikvision device models are impacted.

The security bug has a CVSS rating of 9.8, given that exploitation only requires access to the HTTP(S) server port (typically 80/443), without authentication.

Exploits targeting the vulnerability were published in October 2021 and February 2022. In December 2021, the Mirai-based ‘Moobot’ botnet was observed targeting the vulnerability in attacks.

In January 2022, CISA added the security flaw to its ‘must-patch’ list, which catalogs vulnerabilities for which the agency has evidence of in-the-wild exploitation.

Fixes for CVE-2021-36260 have been available since September 2021, but tens of thousands of Hikvision cameras and NVRs remain unpatched.

According to Cyfirma, there are over 80,000 unpatched Hikvision devices – out of a total of 285,000 – that are accessible from the internet, thus exposed to potential takeover.

More than 2,000 organizations in over 100 countries are potentially exposed to attacks, especially since many of the vulnerable devices also have multiple ports opened, the cybersecurity firm says in a report (PDF).

The largest number of vulnerable devices are located in China (roughly 12,700), US (~10,000), Vietnam (~7,300), UK (~4,800), and Ukraine (~3,000).

Cyfirma also notes that it has reason to believe that Chinese and Russian advanced persistent threat (APT) actors are likely to exploit vulnerabilities in these devices.

“Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment,” Cyfirma says.

Related: Unpatched Micodus GPS Tracker Vulnerabilities Allow Hackers to Remotely Disable Cars

Related: Many IoT Devices Exposed to Attacks Due to Unpatched Flaw in uClibc Library

Related: CISA Warns of Hikvision Camera Flaw as U.S. Aims to Rid Chinese Gear From Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet