A new open-source tool called HikvisionExploiter has emerged, designed to automate attacks on vulnerable Hikvision IP cameras.
Released on GitHub in mid-2024 but gaining renewed attention amid 2025’s surge in camera exploits, this Python-based utility targets unauthenticated endpoints in cameras running outdated firmware, such as version 3.1.3.150324.
Developed for researchers and red teamers, it streamlines reconnaissance and exploitation, highlighting how easily exposed devices can be compromised for surveillance hijacking or credential theft.
HikvisionExploiter performs a series of automated checks, starting with verifying access to the /onvif-http/snapshot endpoint to capture live images without authentication.
It then retrieves and decrypts configuration files using AES and XOR methods, extracting usernames, privilege levels, and other sensitive data from XML outputs.
The toolkit supports multithreaded scanning of thousands of targets listed in a simple targets.txt file, logging results in timestamped, color-coded folders for easy analysis.
Advanced features include remote command execution via command injection flaws and an interactive shell for deeper access, making it a comprehensive weapon for testing network defenses.
Installation requires Python 3.6+, libraries like requests and pycrypto, and optional FFmpeg for compiling snapshots into videos.
Users can integrate it with tools like Nuclei for broader vulnerability detection across exposed cameras found via Shodan searches for the specific firmware string.
The Core Vulnerability: CVE-2021-36260
At the heart of the toolkit is CVE-2021-36260, a critical command injection flaw in Hikvision’s web server that allows unauthenticated attackers to execute arbitrary OS commands.
Discovered in 2021, the vulnerability stems from inadequate input validation in endpoints such as/SDK/webLanguage, enabling remote code execution with high privileges.
It affects numerous Hikvision camera models, particularly in the DS-2CD and DS-2DF series, running firmware versions prior to the vendor’s patches.
| CVE ID | Affected Products | CVSS 3.1 Score | Severity | Description | Exploit Prerequisites |
|---|---|---|---|---|---|
| CVE-2021-36260 | DS-2CD2021G1-I(W), DS-2CD2023G2-I(U), DS-2CD2026G2-IU/SL, DS-2CD2027G2-L(U), and over 100 other DS-2CD/DS-2DF models (firmware < V5.5.0 build 210702) | 9.8 | Critical | Command injection via insufficient validation in web server endpoints, allowing arbitrary command execution. | Network access to exposed web interface; no authentication required. |
This flaw has been actively exploited since 2021, and CISA has added it to its Known Exploited Vulnerabilities catalog due to real-world attacks.
In 2025, researchers noted novel abuse techniques, such as using the “mount” command to drop malware on compromised devices.
With thousands of Hikvision cameras still exposed online, attackers can steal snapshots, user data, or pivot to network breaches, fueling ransomware or DDoS operations.
Security experts urge immediate firmware updates to at least V5.7.0 or later, network segmentation, and disabling unused ports.
For organizations, regular scans with tools like this ethically can identify exposures, but widespread unpatched deployments demand urgent action to prevent surveillance sabotage.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
