Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportA significant escalation in cyberattacks since late February 2026 has targeted internet-facing IP surveillance cameras across multiple countries in the Middle East, including Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, Cyprus, and Lebanon. The activity originates from infrastructure attributed to multiple Iran-nexus threat actors and is assessed to be directly linked to physical military operations, specifically for pre-strike reconnaissance, battle damage assessment (BDA), and post-strike target correction during missile campaigns. Earlier, more targeted waves of the same activity were also detected on January 14–15, 2026, coinciding with Iran’s temporary airspace closure amid heightened tensions and expectations of a potential U.S. military strike.
The campaign exclusively targets two major camera manufacturers, exploiting five known vulnerabilities including CVE-2017-7921 (Hikvision improper authentication), CVE-2021-36260 (Hikvision command injection enabling unauthenticated remote code execution), CVE-2023-6895 (Hikvision intercom system OS command injection), CVE-2025-34067 (Hikvision integrated security management platform unauthenticated RCE), and CVE-2021-33044 (Dahua IP camera authentication bypass). While patches are available for all five vulnerabilities, many devices remain unpatched and directly exposed to the internet, making them vulnerable to exploitation.
The threat actors operate through layered anonymization infrastructure combining commercial VPN exit nodes from providers including Mullvad, ProtonVPN, Surfshark, and NordVPN with virtual private servers to enable rapid IP rotation and complicate attribution efforts. No specific named APT group has been publicly identified; however, infrastructure patterns are consistent with both Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS)-affiliated operations, indicating state-sponsored activity. The targeting of internet-connected surveillance infrastructure crosses all sectors, as the threat actors appear focused on geographic coverage rather than industry-specific targeting.
Since late February 2026, multiple Iran-nexus threat actors have significantly escalated exploitation attempts against internet-facing IP surveillance cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, Lebanon, and Cyprus, countries also experiencing Iranian-linked missile activity during the same timeframe. The attackers operate through sophisticated layered anonymization infrastructure combining commercial VPN exit nodes from major providers including Mullvad, ProtonVPN, Surfshark, and NordVPN with virtual private servers to enable rapid IP address rotation and complicate attribution efforts.
No specific named advanced persistent threat group has been publicly identified in connection with this campaign; however, network infrastructure patterns, targeting priorities, and operational timing are consistent with both Islamic Revolutionary Guard Corps and Ministry of Intelligence and Security-affiliated cyber operations. The correlation between exploitation activity spikes and geopolitical military events strongly suggests state-directed intelligence, surveillance, and reconnaissance (ISR) operations supporting kinetic military planning and execution.
The campaign demonstrates focused targeting, exclusively exploiting vulnerabilities in two major IP camera manufacturers rather than conducting broad opportunistic scanning across all vendor products. The threat actors exploit five specific vulnerabilities that provide authentication bypass or remote code execution capabilities: CVE-2017-7921 affecting Hikvision products through improper authentication allowing unauthorized access, CVE-2021-36260 providing command injection enabling unauthenticated remote code execution on Hikvision devices, CVE-2023-6895 exploiting OS command injection in Hikvision intercom broadcasting systems, CVE-2025-34067 enabling unauthenticated remote command execution in Hikvision integrated security management platforms, and CVE-2021-33044 bypassing authentication on Dahua IP camera products.
Security patches are available for all five actively exploited vulnerabilities, and several have been added to the CISA Known Exploited Vulnerabilities catalog, indicating widespread exploitation and significant risk. However, many deployed surveillance devices remain unpatched and directly exposed to the internet, creating a persistent attack surface. Organizations frequently fail to maintain camera firmware updates due to lack of awareness, operational complexity, or concerns about disrupting surveillance coverage during patching windows.
Compromised cameras provide real-time intelligence, surveillance, and reconnaissance capabilities directly supporting military operations including battle damage assessment, target verification, and strike correction during missile campaigns. During the June 2025 Israel-Iran conflict, security researchers documented that a street-facing surveillance camera was reportedly compromised immediately before a ballistic missile struck the precise site the camera was monitoring, demonstrating the tactical value of compromised surveillance infrastructure for targeting intelligence.
The current campaign shows clear exploitation spikes correlating directly with specific geopolitical events and military escalations: January 14–15, 2026 coinciding with Iran’s temporary airspace closure and anti-regime protests amid expectations of potential U.S. military strikes, January 24, 2026 corresponding with the CENTCOM commander’s visit to Israel, early February 2026 during growing concerns about potential U.S. strikes against Iranian targets, and the most significant surge beginning February 28, 2026 coinciding with Operation Epic Fury, with additional Lebanon-focused exploitation activity intensifying on March 1, 2026.
This consistent temporal correlation between scanning and exploitation activity against surveillance infrastructure from attributed Iranian threat actor networks and subsequent geopolitical escalation or kinetic military operations reinforces the intelligence assessment that tracking exploitation attempts against internet-exposed surveillance devices can serve as a valuable early warning indicator of potential follow-on military operations. Organizations monitoring Iranian cyber activity should pay particular attention to scanning spikes against camera infrastructure during periods of heightened regional tensions, as these may presage imminent military action requiring real-time visual intelligence for targeting and damage assessment.
The strategic value of compromised surveillance cameras extends beyond immediate tactical intelligence. Sustained access to cameras monitoring critical infrastructure, military installations, government facilities, transportation hubs, and urban centers provides long-term intelligence collection supporting operational planning, pattern-of-life analysis, and target development for future operations. This campaign demonstrates how state actors are increasingly leveraging unsecured Internet of Things devices as strategic intelligence assets supporting both cyber and kinetic military operations.
Prioritize immediate patching of the five actively exploited vulnerabilities CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044 across all deployed camera and network video recorder assets from affected manufacturers. Organizations should inventory all surveillance devices, identify firmware versions, and create emergency patching schedules. Immediately decommission or replace any end-of-life devices that no longer receive firmware security updates from manufacturers, as these represent permanent security gaps that cannot be remediated.
Remove all direct WAN access, port forwarding rules, and public-facing configurations from IP cameras and network video recorders immediately. Place all surveillance devices behind VPN tunnels or zero-trust network access gateways to prevent unauthorized remote access from the internet. Conduct comprehensive external attack surface audits using internet scanning tools like Shodan to identify any unknown or forgotten camera endpoints exposed to the public internet that may have been deployed by previous IT staff or contractors.
Change all default, factory-set, and weak passwords on every camera, network video recorder, and centralized management platform across the surveillance environment. Enforce unique, complex credentials per device using password management systems and disable any anonymous or guest access features that may be enabled by default. Where supported by device firmware, enable multi-factor authentication on centralized camera management consoles and administrative interfaces to prevent credential-based attacks.
Deploy all cameras and network video recorders on dedicated VLANs with strict access control lists preventing any lateral movement to corporate IT, operational technology, or other sensitive networks. Restrict outbound traffic from camera network segments to only required firmware update servers and authorized cloud endpoints. Block all unnecessary protocols and ports, and ensure surveillance traffic cannot reach sensitive internal systems even if individual devices are compromised through vulnerability exploitation.
Deploy security monitoring to detect repeated authentication failures, brute-force login attempts, and unexpected remote access sessions targeting surveillance devices. Alert on any cameras or network video recorders initiating unusual outbound connections, particularly to commercial VPN IP address ranges or unfamiliar VPS infrastructure. Prioritize continuous vulnerability scanning, network traffic analysis, and device behavior baselines as the primary detection strategy for identifying compromised surveillance infrastructure.
The attackers operate through combinations of commercial VPN exit nodes from Mullvad, ProtonVPN, Surfshark, and NordVPN alongside virtual private server infrastructure to scan and exploit camera devices. Configure firewall and intrusion detection/prevention system rules to flag or block inbound connection attempts from known commercial VPN IP ranges targeting common camera ports, particularly port 80 (HTTP), 443 (HTTPS), 554 (RTSP streaming protocol), and 37777 (Dahua default port). Correlate any detected scanning spikes against these ports with geopolitical developments in the Middle East region, as this campaign has demonstrated clear patterns of intensifying during periods of regional military escalation.
The Iranian IP camera exploitation campaign employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including reconnaissance through active scanning via vulnerability scanning and gathering victim network information including IP addresses alongside victim host information including hardware specifications, resource development through acquiring virtual private server infrastructure and obtaining exploit capabilities, initial access through exploiting public-facing applications and external remote services, execution through command and scripting interpreters, defense evasion using proxy infrastructure with multi-hop proxies combining commercial VPNs and VPS infrastructure, and collection through video capture of surveillance camera feeds for intelligence supporting military operations.
The threat advisory references authoritative security research from Check Point documenting the interplay between Iranian targeting of IP cameras and physical warfare in the Middle East region. The advisory also includes patch links for all five actively exploited vulnerabilities from Hikvision and Dahua manufacturer security advisories and firmware download centers. These references provide additional technical depth, vulnerability details, and patching guidance for security teams remediating Iranian exploitation attempts against surveillance infrastructure.
Get through updates and upcoming events, and more directly in your inbox