Iranian Hackers Exploit Surveillance Cameras in Middle East Ahead of Potential Attacks
Since February 28, Iranian-linked hacking groups have targeted internet-connected surveillance cameras in Israel and other Middle Eastern nations, according to Check Point Research. The campaign, attributed to multiple Iran-nexus threat actors, has involved hundreds of exploitation attempts against vulnerabilities in Hikvision and Dahua IP cameras brands widely used across the region.
The targeted countries Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon align with areas experiencing heightened missile activity tied to Iran. Security researchers warn that such cyber intrusions may serve as reconnaissance for future kinetic strikes, a tactic Iran has employed in the past. In June 2025, Iranian operatives compromised CCTV servers in Jerusalem days before missile attacks, using live feeds to assess potential targets.
The attack infrastructure leveraged commercial VPNs (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers to scan for unpatched flaws, including:
- Hikvision vulnerabilities: CVE-2017-7921 (authentication bypass), CVE-2021-36260 (command injection), CVE-2023-6895 (OS command injection), and CVE-2025-34067 (remote code execution).
- Dahua vulnerability: CVE-2021-33044 (authentication bypass).
All identified flaws have available patches. Check Point noted similar activity during the June 2025 Israel-Iran conflict, where compromised cameras aided battle damage assessments. In one instance, a street camera facing Israel’s Weizmann Institute was breached shortly before a missile strike on the facility.
While Iranian cyber operations have so far focused on espionage, disinformation, and DDoS attacks often amplified by hacktivist groups for propaganda pro-Russian hacktivists have also increased activity in the region. Palo Alto Networks’ Unit 42 warns this could expand the Middle East’s attack surface, introducing disruptive tactics historically used against NATO and European targets.
Check Point has not observed attacks on U.S. infrastructure but assesses the threat may broaden in the coming weeks.
Source: https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
Hikvision MEA cybersecurity rating report: https://www.rankiteo.com/company/hikvision-mea
Dahua Technology Co. LTD cybersecurity rating report: https://www.rankiteo.com/company/dahua-technology
"id": "HIKDAH1772677469",
"linkid": "hikvision-mea, dahua-technology",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Hundreds of exploitation '
'attempts',
'industry': 'Surveillance Technology',
'location': 'Global (Middle East focus)',
'name': 'Hikvision',
'type': 'Technology/Manufacturer'},
{'customers_affected': 'Hundreds of exploitation '
'attempts',
'industry': 'Surveillance Technology',
'location': 'Global (Middle East focus)',
'name': 'Dahua',
'type': 'Technology/Manufacturer'},
{'industry': 'Education/Research',
'location': 'Israel',
'name': 'Weizmann Institute',
'type': 'Research Institution'}],
'attack_vector': 'Exploitation of unpatched vulnerabilities in IP cameras',
'data_breach': {'sensitivity_of_data': 'High (military/strategic '
'reconnaissance)',
'type_of_data_compromised': 'Live surveillance footage, '
'target assessments'},
'date_detected': '2025-02-28',
'description': 'Since February 28, Iranian-linked hacking groups have '
'targeted internet-connected surveillance cameras in Israel '
'and other Middle Eastern nations. The campaign involved '
'hundreds of exploitation attempts against vulnerabilities in '
'Hikvision and Dahua IP cameras. The targeted countries align '
'with areas experiencing heightened missile activity tied to '
'Iran, suggesting reconnaissance for future kinetic strikes.',
'impact': {'data_compromised': 'Live camera feeds, potential target '
'assessments',
'operational_impact': 'Potential aid in missile strike planning',
'systems_affected': 'Hikvision and Dahua IP cameras'},
'initial_access_broker': {'entry_point': 'Unpatched IP cameras',
'high_value_targets': 'Military/strategic locations '
'(e.g., Weizmann Institute)',
'reconnaissance_period': 'Since February 28, 2025'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Unpatched vulnerabilities in IoT devices (e.g., IP '
'cameras) can be exploited for strategic reconnaissance. '
'Heightened cyber activity may precede kinetic attacks.',
'motivation': 'Reconnaissance for potential kinetic strikes, espionage',
'post_incident_analysis': {'corrective_actions': 'Patch management, network '
'segmentation, enhanced '
'monitoring, threat '
'intelligence sharing',
'root_causes': 'Unpatched vulnerabilities in '
'Hikvision and Dahua cameras, lack '
'of network segmentation, '
'insufficient monitoring of IoT '
'devices'},
'recommendations': ['Patch known vulnerabilities in Hikvision and Dahua '
'cameras immediately',
'Monitor for unusual activity on surveillance networks',
'Segment critical infrastructure from IoT devices',
'Enhance threat intelligence sharing in the Middle East '
'region'],
'references': [{'source': 'Check Point Research'},
{'source': 'Palo Alto Networks’ Unit 42'}],
'response': {'remediation_measures': 'Patching vulnerabilities '
'(CVE-2017-7921, CVE-2021-36260, '
'CVE-2023-6895, CVE-2025-34067, '
'CVE-2021-33044)',
'third_party_assistance': 'Check Point Research, Palo Alto '
'Networks’ Unit 42'},
'stakeholder_advisories': 'Governments and organizations in the Middle East '
'should assess their surveillance infrastructure '
'for potential compromise and apply patches.',
'threat_actor': 'Iran-nexus threat actors',
'title': 'Iranian Hackers Exploit Surveillance Cameras in Middle East Ahead '
'of Potential Attacks',
'type': 'Cyber Espionage, Reconnaissance',
'vulnerability_exploited': ['CVE-2017-7921 (Hikvision - authentication '
'bypass)',
'CVE-2021-36260 (Hikvision - command injection)',
'CVE-2023-6895 (Hikvision - OS command injection)',
'CVE-2025-34067 (Hikvision - remote code '
'execution)',
'CVE-2021-33044 (Dahua - authentication bypass)']}