Threat actors intensify targeting of IP cameras across the Middle East amid ongoing conflict

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Check Point Research says it observed a sharp rise in attempts to exploit internet-connected Hikvision and Dahua IP cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon starting February 28, 2026. The activity came from infrastructure Check Point attributes to multiple Iran-nexus threat actors, and it focused only on these two camera vendors in the telemetry Check Point analyzed.

Check Point also says it saw earlier, more targeted waves on January 14–15 against cameras in Israel and Qatar, and it links the timing to heightened regional tension and Iran’s temporary airspace closure during that period.

The practical risk is straightforward. If your cameras or NVRs sit on the public internet and still run old firmware, attackers can attempt authentication bypass, command injection, or remote code execution using known CVEs. Check Point says patches exist for every vulnerability it listed, so exposure and patching discipline will decide who gets hit next.

What researchers observed

Check Point says the attacking infrastructure combined commercial VPN exit nodes and VPS hosts. It specifically names Mullvad, ProtonVPN, Surfshark, and NordVPN as VPN providers seen in the infrastructure used for scanning.

Check Point’s findings also connect camera targeting to operational support and battle damage assessment concepts. It says monitoring camera-targeting from attributed infrastructure may serve as an early indicator of potential follow-on kinetic activity in some cases.

Exploitation Attempts Per Day 2026 – Israel (Source – Check Point)

Targeted countries and activity windows

WhatWhat Check Point reported
Main spikeBegan February 28, 2026
Countries namedIsrael, Qatar, Bahrain, Kuwait, UAE, Cyprus, Lebanon
Earlier activityJanuary 14–15 in Israel and Qatar
Vendor focusHikvision and Dahua only (from the tracked infrastructure)

Vulnerabilities being scanned and exploited

Check Point mapped the activity to five known vulnerabilities spanning Hikvision and Dahua products.

CVEVendorVulnerability typePublic description source
CVE-2017-7921HikvisionImproper authenticationNVD
CVE-2021-36260HikvisionCommand injection in web serverNVD
CVE-2023-6895HikvisionOS command injectionNVD
CVE-2025-34067HikvisionUnauthenticated remote code executionNVD
CVE-2021-33044DahuaAuthentication bypassNVD

Why Hikvision and Dahua deployments face outsized risk

These brands appear widely deployed in public spaces and commercial sites, which makes them attractive for real-time visual intelligence. Check Point says it did not see interaction attempts against other camera vendors from the same tracked infrastructure, which suggests deliberate targeting rather than random scanning.

Independent coverage adds context. The Register reports Check Point tracked “hundreds” of exploit attempts tied to these CVEs since hostilities began on February 28, based on an interview with a Check Point threat intelligence manager.

Exploitation Attempts Per Day 2026 – Qatar (Source – Check Point)

What organizations should do now

  • Remove direct WAN exposure for cameras and NVRs. Put them behind a VPN or a zero-trust access gateway and block port forwards.
  • Change default credentials and enforce unique passwords per device.
  • Patch firmware and management platforms. Check Point says updates are available for all listed CVEs and it recommends replacing end-of-life devices that no longer receive fixes.
  • Segment camera networks. Put cameras on a dedicated VLAN and block lateral access to corporate or OT networks. Limit outbound traffic to only required endpoints.
  • Monitor for compromise signals like repeated login failures, unexpected remote logins, or unusual outbound connections initiated by camera systems.

Fast hardening checklist

ControlMinimum barBetter bar
Remote accessNo public internet exposureVPN or ZTNA with device posture checks
CredentialsUnique passwords, no defaultsRotate credentials and store in a vault
FirmwarePatch all devices quarterlyPatch on vendor release plus exposure review
NetworkVLAN isolationMicro-segmentation plus egress allowlists
MonitoringAuth failures and loginsAdd flow monitoring for unexpected egress

FAQ

What is driving the surge in IP camera targeting?

Check Point says it observed intensified targeting from Iran-nexus infrastructure starting February 28, with patterns that may align with operational support and battle damage assessment concepts.

Which camera brands were targeted?

Check Point says it observed attempts against Hikvision and Dahua devices, and it did not observe interaction attempts against other camera vendors from the same infrastructure.

Are patches available?

Yes. Check Point states patches are available for all five vulnerabilities it listed.

What is the single most important mitigation?

Remove public internet exposure for cameras and NVRs. That step cuts off the easiest path for scanning and exploitation attempts.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages