Cybersecurity

Over Eighty Thousand Hikvision Surveillance Cameras Remain Vulnerable to Critical Command Injection Flaw Nearly One Year After Patch Release

Photo of Bang Ali Bang AliDecember 15, 2025
0 6 6 minutes read

A significant security gap in global surveillance infrastructure has been identified as more than 80,000 Hikvision cameras remain unpatched against a critical vulnerability first disclosed nearly a year ago. Recent cybersecurity research indicates that despite the availability of a firmware fix since September 2021, a staggering number of devices used by thousands of organizations across more than 100 countries remain exposed to potential takeover. The flaw, tracked as CVE-2021-36260, carries a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10, categorizing it as "Critical" due to the ease with which an attacker can gain full control of the device without any user interaction or authentication.

Hikvision, formally known as Hangzhou Hikvision Digital Technology, is a Chinese state-owned enterprise and the world’s largest manufacturer of video surveillance equipment. Its hardware is ubiquitous in both public and private sectors, monitoring everything from residential driveways to sensitive government installations and critical infrastructure. The continued exposure of these devices presents a profound risk to global cybersecurity, as the vulnerability allows for unauthenticated remote code execution, effectively turning these cameras into entry points for broader network intrusions.

Technical Overview of CVE-2021-36260

The vulnerability is a command injection flaw located in the web server component of many Hikvision camera models. Because these cameras are designed to be managed over a network, they host a web interface that processes input from users. CVE-2021-36260 occurs because the input handling mechanism fails to properly sanitize data sent to the device. An attacker can craft a specific message containing malicious commands and send it to the camera’s web server; the device then executes those commands with the highest level of administrative privileges.

The severity of the flaw is underscored by its lack of complexity. An attacker does not need a username or password to exploit the system. By simply sending a malicious packet to the device’s IP address, the attacker can gain a "root" shell, allowing them to view live feeds, access stored footage, disable the camera, or use the device as a "bot" in a Distributed Denial of Service (DDoS) attack. Furthermore, once an attacker has control of a camera, they can use it as a pivot point to move laterally through the organization’s internal network, potentially accessing sensitive databases or workstations that are otherwise protected from the open internet.

The Chronology of a Persistent Threat

The timeline of CVE-2021-36260 reveals a concerning lag between the identification of the threat and the implementation of security measures by end-users.

The journey began in June 2021, when a security researcher known as "Watchful_IP" discovered the flaw and reported it to Hikvision. Following a standard disclosure period, Hikvision acknowledged the vulnerability and released a firmware update on September 19, 2021. The company issued a security advisory urging customers to update their devices immediately. Shortly thereafter, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States added the flaw to its "Known Exploited Vulnerabilities" catalog, mandating that federal agencies patch the devices within a strict timeframe.

By late 2021, proof-of-concept (PoC) code was publicly available on platforms like GitHub, lowering the barrier for entry for low-skilled attackers. Despite these warnings, research conducted in August 2022 by the threat intelligence firm Cyfirma revealed that the rate of patching had plateaued. The study analyzed over 285,000 Hikvision devices exposed to the internet and found that roughly 28%—more than 80,000 units—were still running vulnerable firmware versions nearly 11 months after the patch was made available.

Global Exposure and Geopolitical Tensions

The distribution of these vulnerable cameras is global, affecting over 100 nations. This widespread footprint is particularly sensitive given Hikvision’s background as a state-owned Chinese entity. In 2019, the U.S. Federal Communications Commission (FCC) designated Hikvision as an "unacceptable risk to U.S. national security" under the Secure and Trusted Communications Networks Act. This led to a ban on the use of federal funds to purchase Hikvision equipment and eventually contributed to broader restrictions on the sale of their hardware in the United States.

Despite these regulatory hurdles, Hikvision cameras remain common in U.S. commercial and residential markets. The Cyfirma report suggests that the highest concentrations of vulnerable devices are currently found in the United States, Vietnam, the United Kingdom, Brazil, and Thailand.

The security implications are compounded by the interest of sophisticated threat actors. Researchers have observed discussions on Russian-language dark web forums where cybercriminals are actively collaborating to exploit the Hikvision vulnerability. These forums have seen the sale of leaked credentials and "hit lists" of IP addresses belonging to vulnerable cameras. Security analysts have expressed concern that state-sponsored groups, including Chinese Advanced Persistent Threat (APT) groups such as APT41 (MISSION2025) and APT10, could leverage these unpatched devices for geopolitical espionage. By controlling a network of cameras within a foreign country, a state actor could monitor physical movements at sensitive sites or use the compromised hardware to launch cyberattacks while masking their true point of origin.

The Structural Challenges of IoT Security

The failure to patch 80,000 devices is not necessarily a sign of intentional negligence by organizations, but rather a symptom of the systemic difficulties inherent in Internet of Things (IoT) security. Unlike modern operating systems for PCs or smartphones, which often feature "silent" or automatic background updates, IoT devices like surveillance cameras frequently require manual intervention.

Paul Bischoff, a privacy advocate with Comparitech, points out that the update process for industrial hardware is often opaque. Users must typically visit the manufacturer’s website, identify the specific firmware for their exact model and hardware revision, download the file, and manually upload it through the camera’s administrative interface. For an organization managing hundreds of cameras across multiple locations, this task is labor-intensive and prone to error.

Furthermore, many IoT devices provide no visual indication to the user that they are running outdated software or that a security breach has occurred. In many cases, the staff responsible for physical security (who purchase and install the cameras) may not be the same individuals responsible for IT security, leading to a communication gap where critical firmware updates are overlooked.

The problem is further exacerbated by the use of default credentials. Many Hikvision cameras are shipped with a set of standard passwords. If a user fails to change these upon installation, even a camera that has been patched against CVE-2021-36260 remains vulnerable to simple "brute force" or credential-stuffing attacks. Cyfirma’s research noted that a significant portion of the exposed cameras were still using easily guessable or factory-default settings.

Forensic Limitations and Long-term Risks

A critical concern raised by security experts is the lack of forensic visibility into these devices. David Maynor, a senior director of threat intelligence, has noted that Hikvision’s product architecture makes it difficult for security teams to perform post-incident analysis. If a camera is compromised, there are few built-in tools to verify whether an attacker has been successfully removed or if they have left behind "backdoors" that persist even after a firmware update.

The inability to perform deep forensics means that an organization might patch their camera today, but if the device was already breached months ago, the attacker might still have a foothold in the network. This "persistence" is a hallmark of sophisticated cyber-espionage and makes the 11-month delay in patching even more dangerous.

Mitigation Strategies and Industry Recommendations

To address the immediate risk, cybersecurity agencies and private firms recommend a multi-layered approach to surveillance security. The primary and most urgent step is the application of the latest firmware updates provided by Hikvision. Organizations should audit their entire inventory of cameras to ensure no legacy hardware has been missed.

Beyond patching, experts recommend the following best practices:

  1. Network Segmentation: Surveillance cameras should never be placed on the same network as sensitive corporate data or guest Wi-Fi. They should be isolated on a dedicated Virtual Local Area Network (VLAN) with strict firewall rules.
  2. Eliminate Public Exposure: Cameras should not be directly accessible from the public internet. Instead, remote access should be facilitated through a secure Virtual Private Network (VPN) or a hardened gateway.
  3. Credential Management: Default passwords must be changed immediately upon deployment. Organizations should implement strong, unique passwords for every device and, where possible, utilize centralized identity management.
  4. Regular Auditing: Use tools like Shodan or internal vulnerability scanners to identify any "shadow" IoT devices that may have been installed without IT’s knowledge.

Conclusion and Broader Implications

The persistence of the Hikvision vulnerability highlights a growing crisis in the global supply chain of connected devices. As the world becomes increasingly reliant on smart infrastructure, the "set it and forget it" mentality of IoT deployment is becoming a major national security liability. The fact that tens of thousands of organizations remain exposed to a known, critical flaw nearly a year after its discovery suggests that current methods of vulnerability communication and patch management are insufficient for the scale of the modern threat landscape.

For Hikvision, the situation serves as a reminder of the scrutiny placed on Chinese-made technology in the West. For the cybersecurity community, it is a call to action to develop more automated, resilient systems for securing the billions of IoT devices that now form the backbone of modern physical security. Until patching becomes as seamless for a camera as it is for a smartphone, the "surveillance of the watchers" will remain a lucrative and dangerous frontier for cybercriminals and state actors alike.

Related posts:

Tags
Photo of Bang Ali Bang AliDecember 15, 2025
0 6 6 minutes read
Photo of Bang Ali

Bang Ali

Related Articles

Threat Actors Exploiting Three Windows Zero-Day Vulnerabilities Following Public Disclosure by Disgruntled Researcher

April 17, 2026

The Evolution of Underground Credit Card Marketplaces and the Rise of Professionalized Fraud Vetting Standards

January 3, 2026

Cybersecurity Experts Uncover PowMix Botnet Targeting Czech Workforce Amid Evolving Global Threat Landscape

March 6, 2026

Google Issues Urgent Chrome Update to Patch Fifth Actively Exploited Zero-Day Vulnerability of 2022

March 29, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Jar Digital
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.