Iran-linked hackers have stepped up attacks targeting IP cameras in recent days, exploiting critical flaws in widely used surveillance equipment.
Since late February, hackers have been scanning for vulnerabilities in Hikvision and Dahua products, according to a blog post by Check Point Research.
The flaws being targeted include a command injection flaw in Hikvision Intercom Broadcasting System, tracked as CVE-2023-6895 and CVE-2025-34067, a remote-command execution vulnerability in Hikvision Security Management Platform.
A remote authentication bypass vulnerability, tracked as CVE-2021-33044, is found in certain Dahua products.
The targeting has been focused primarily against countries in the Persian Gulf region and Middle East, according to Check Point. Recent activity has been observed against devices in Israel, Cyprus, Lebanon, Qatar, Kuwait and other states in the region.
Researchers said the exploitation has preceded kinetic attacks from missiles. It echoes prior threat activity used during the 12-day conflict between Israel and Iran in 2025 and the Israel-Hamas war starting in 2023.
Hackers linked to the Islamic Revolutionary Guard Corps (IRGC) during the Israel-Hamas war targeted flaws in certain industrial products and took that experience into a widespread campaign targeting water facilities in the U.S.
IRGC-affiliated hackers previously gained experience targeting human-machine interfaces and programmable logic controllers and later targeted drinking and wastewater facilities in the U.S.
Those same devices were used in other critical sectors as well, including some agricultural providers.
The Cybersecurity and Infrastructure Security Agency added an improper authentication flaw, tracked as CVE-2017-7921, to its Known Exploited Vulnerabilities catalog. The vulnerability was one of several found in Hikvision IP cameras and is among the flaws referenced by Check Point.
Editor’s note: Adds new information from CISA.
