Multiple Iranian hacking groups have conducted hundreds of exploitation attempts against internet-connected surveillance cameras across Israel and neighbouring Middle Eastern countries since hostilities began on 28th February 2026. The campaign has targeted IP cameras manufactured by Hikvision and Dahua across seven countries including Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—territories that have experienced significant missile activity linked to Iran. The threat actors, operating from infrastructure attributed to several Iran-nexus groups, have combined commercial VPN exit nodes from providers including Mullvad, ProtonVPN, Surfshark, and NordVPN with virtual private servers to scan for and exploit five known vulnerabilities in these specific camera brands while ignoring other manufacturers entirely.
The targeted security flaws span nearly a decade of disclosed vulnerabilities, ranging from a 2017 improper authentication issue in Hikvision IP camera firmware to a 2025 unauthenticated remote code execution vulnerability in Hikvision’s Integrated Security Management Platform. Additional exploited vulnerabilities include command injection flaws in Hikvision web server components and Intercom Broadcasting Systems, as well as an authentication bypass affecting multiple Dahua products. All of these security weaknesses have available patches, yet remain exploitable on unpatched systems. This camera-targeting activity may serve as an early indicator of potential follow-on kinetic military operations, noting that Iran traditionally uses digital reconnaissance including compromised surveillance cameras to prepare for physical attacks. During the 12-day conflict between Israel and Iran in June 2025, Iranian operatives reportedly compromised a street camera facing Israel’s Weizmann Institute of Science shortly before the facility was struck by a ballistic missile, likely to support battle damage assessment.
Organisations should immediately update camera firmware and software to the latest patched versions, remove direct wide area network access to prevent public internet exposure, isolate cameras on dedicated VLANs with no lateral access to corporate or operational technology networks, and monitor for repeated login failures or unexpected remote connections.