There's an uncomfortable irony at the heart of modern physical security: the cameras and systems businesses install to protect their premises are frequently among the most vulnerable devices on their networks. As we've explored in our articles on whether your security camera is watching you and IoT device security, the devices meant to keep you safe can be the very things that let attackers in.
On March 5, 2026, CISA added CVE-2017-7921—a critical authentication bypass vulnerability in Hikvision cameras—to its Known Exploited Vulnerabilities catalog after confirming that attackers are actively exploiting it in the wild. The flaw, rated 9.8 on the CVSS scale, allows attackers to bypass login procedures entirely and gain full administrative control of affected devices: viewing live video feeds, downloading recordings, manipulating configurations, and using the compromised camera as a pivot point into the broader network.
The most striking detail isn't the severity—it's the date. This vulnerability was first discovered in 2017. Nine years later, enough Hikvision cameras remain unpatched and exposed that CISA felt compelled to issue a binding directive requiring federal agencies to remediate by March 26, 2026. It's a pattern that defines Hikvision—the world's largest surveillance camera manufacturer, with an estimated 20 to 25 percent global market share by revenue—and it raises serious questions about whether the cost savings of cheap surveillance equipment are worth the security risks they introduce.
Hikvision's Vulnerability History: A Pattern, Not an Anomaly
The CISA KEV addition doesn't exist in isolation. Hikvision has accumulated a significant history of critical security flaws, several of which have been actively exploited at scale.
CVE-2017-7921: The Backdoor That Won't Die
In 2017, security researcher Montecrypto discovered what the U.S. Department of Homeland Security scored as a 10.0/10.0 vulnerability—a backdoor in Hikvision cameras that allowed full remote administration access with no authentication required. Attackers could bypass login procedures entirely using a specially crafted URL. Hikvision characterized it as "debug code inadvertently left by a developer" rather than an intentional backdoor, though the distinction offered little comfort to organizations whose cameras were exposed. The flaw affected hundreds of thousands of cameras worldwide, intensified scrutiny of Hikvision's ties to the Chinese government, and contributed to subsequent legislative action. Hikvision released a patch within a week—but as CISA's March 2026 KEV addition confirms, devices running vulnerable firmware remain actively exploited nearly a decade later. SANS Internet Storm Center had been detecting exploit attempts targeting this vulnerability for months before CISA's formal action.
CVE-2021-36260: The One That Wouldn't Go Away
In September 2021, Hikvision disclosed CVE-2021-36260—a command injection vulnerability with a CVSS score of 9.8 that allowed unauthenticated remote code execution through the camera's web server. No credentials were needed. An attacker could gain full control of any affected device simply by sending a crafted request.
The scope was staggering. The total number of affected devices was estimated at over 100 million, including Hikvision cameras and the many OEM products that use Hikvision internals under different brand names. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog in January 2022 and issued a binding directive requiring federal agencies to patch.
But the real story of CVE-2021-36260 is what happened after the patch was released. By mid-2022—less than a year after the fix was available—researchers found over 80,000 Hikvision cameras still vulnerable and exposed to the internet. Botnets including Moobot (a Mirai variant) specifically targeted the vulnerability to conscript cameras into DDoS attack networks. Russian-speaking hacking forums traded exploits and access to compromised cameras. The devices bought to monitor for physical threats were actively participating in cyberattacks against other organizations.
The Pattern Continues
Between the 2017 backdoor and the 2026 CISA action, Hikvision has accumulated additional critical vulnerabilities in a near-annual cadence: CVE-2023-28808 (CVSS 9.8, an access control flaw allowing attackers to obtain administrator permissions in storage products), CVE-2024-47487 (SQL injection in HikCentral), and multiple privilege escalation flaws in 2025. The pattern is consistent: critical flaws, patches released, and a large installed base of devices that are slow to be updated—or never updated at all.
As we've covered in our article on why keeping your systems updated matters, the window between vulnerability disclosure and exploitation has narrowed dramatically. With IoT devices like cameras, that window is particularly dangerous because the devices are often the last to be patched.
Why IoT Devices Are Different—and More Dangerous
Security cameras, access control systems, and other IoT devices present a fundamentally different security challenge than laptops or servers. We've covered the risks of IoT devices before—but understanding why they're so hard to secure requires looking at how they're typically deployed and managed.
They're Installed and Forgotten
Most IoT devices lack automatic update mechanisms. Firmware must be manually downloaded from the manufacturer's website and applied—a process that many organizations never perform after initial installation. Research from Phosphorus found that as many as 50 percent of IoT devices have known vulnerabilities or default passwords. Across IoT broadly, industry data suggests that 70 percent or more of devices are running outdated firmware at any given time. The average time to patch an IoT vulnerability is 6 to 12 months after disclosure—compared to days or weeks for managed IT systems.
They Expand the Attack Surface Invisibly
A business might have a handful of servers and a few dozen workstations, all tracked in an IT inventory. But that same business might also have dozens of cameras, a network-connected access control system, smart thermostats, networked printers, and various other IoT devices—many of which IT has limited visibility into. Palo Alto Networks' Unit 42 found that 57 percent of IoT devices are vulnerable to medium- or high-severity attacks, describing IoT as "the low-hanging fruit" for attackers. Their research also revealed a striking disproportion: cameras make up only 5 percent of enterprise IoT devices but account for 33 percent of all security issues. As we discussed in our article on reducing your attack surface, every connected device is a potential entry point, and every endpoint needs to be secured.
They Sit on the Network with Everything Else
In many organizations—particularly small and midsize businesses—security cameras share the same network as workstations, servers, and business-critical systems. We've written about home office devices that can lead to a breach, and the same principle applies at the office. An attacker who compromises a camera doesn't just have a camera. They have a foothold on the network, from which they can scan for other targets, move laterally, and escalate access. This is exactly why network segmentation is so important, and it's a principle that applies equally to business networks and home offices.
When Security Devices Become the Attack Vector
The irony of a security camera becoming an entry point for a cyberattack isn't theoretical. It's happened repeatedly.
The Casino Fish Tank (2017)
In one of the most cited IoT breach cases, hackers compromised an internet-connected fish tank thermometer in a North American casino. The thermometer—a monitoring device on the same network as business systems—gave attackers a foothold from which they exfiltrated 10 GB of data, including the casino's high-roller database, to a server in Finland. The device was installed to monitor the aquarium's environment. It became the weakest link in the casino's entire network.
The Verkada Breach (2021)
In March 2021, a hacker group breached Verkada's cloud-managed camera platform and gained access to more than 150,000 live camera feeds from Verkada customers including Tesla, Cloudflare, hospitals, jails, and schools. The attackers accessed the full video archive of all affected customers. The breach exposed a particular risk of cloud-managed camera systems: a single vendor compromise can expose every customer simultaneously. The FTC fined Verkada $2.95 million in August 2024.
Mirai and Its Descendants (2016–Present)
The original Mirai botnet in 2016 compromised over 600,000 IoT devices—primarily cameras and DVRs—by scanning for just 61 known default username and password combinations. The resulting DDoS attack against DNS provider Dyn temporarily took down Twitter, Netflix, Reddit, Spotify, and dozens of other major services. Mirai variants continue to target IoT devices today, with Moobot specifically targeting Hikvision cameras through CVE-2021-36260. The devices businesses install for physical security are being weaponized for cyberattacks at scale.
Target (2013)
Perhaps the most famous IoT-adjacent breach: attackers compromised Target's network through credentials stolen from Fazio Mechanical Services, an HVAC contractor with network access to Target's systems. The breach exposed 40 million credit and debit card numbers and 70 million customer records, costing Target an estimated $292 million. The root cause wasn't a camera, but the lesson applies directly: connected building systems that share network access with business-critical infrastructure create pathways attackers can exploit.
The Hikvision Problem Is Bigger Than Vulnerabilities
Hikvision's security issues extend beyond individual CVEs. The company's ownership structure and relationship with the Chinese government raise additional concerns that organizations should factor into procurement decisions.
Hikvision is controlled by China Electronics Technology Group Corporation (CETC), a Chinese state-owned defense contractor that holds approximately 39 to 42 percent of the company. CETC is a major military-industrial conglomerate that develops military electronics and weapons systems. This ownership structure has led to significant government action:
- U.S. Entity List (2019): The U.S. Commerce Department placed Hikvision on its Entity List for involvement in human rights abuses related to surveillance of Uyghur Muslims in Xinjiang, restricting U.S. companies from selling technology to Hikvision.
- NDAA Section 889 (2019–2020): The National Defense Authorization Act banned U.S. government agencies and their contractors from procuring or using Hikvision video surveillance equipment.
- FCC Covered List (2022): The FCC added Hikvision to its list of equipment that poses "an unacceptable risk to the national security of the United States" and banned new equipment authorizations.
- International restrictions: The European Parliament voted to remove Hikvision cameras from its premises in 2021. The UK government ordered removal of Hikvision cameras from sensitive sites in November 2022. Australia ordered removal from government buildings in February 2023.
The fact that multiple governments have concluded that Hikvision equipment poses a national security risk should give any business pause—regardless of whether they fall under the NDAA or FCC restrictions.
What to Do About It
If your organization uses Hikvision cameras—or any IoT devices that haven't received regular security attention—here's a practical framework for reducing your risk.
Immediate: Patch and Isolate
- Patch now. If you have Hikvision devices, verify that your firmware addresses CVE-2017-7921 (the actively exploited authentication bypass that CISA added to its KEV catalog in March 2026) and CVE-2021-36260, along with any other advisories listed on Hikvision's security center. If your devices are too old to receive updates, they need to be replaced—not left on your network.
- Segment your network. Every IoT device—cameras, access control panels, smart building systems—should be on an isolated VLAN with firewall rules that restrict traffic to only what's necessary. As we've discussed in our articles on layering your security and zero trust frameworks, network segmentation limits the blast radius when any device is compromised.
- Change default credentials. If any camera or IoT device on your network still uses factory-default passwords, change them today. The Mirai botnet compromised 600,000 devices using nothing more than a list of default credentials. As we covered in our piece on password security mistakes businesses make, default passwords on any system are an open invitation.
- Disable unnecessary services. Turn off UPnP, P2P cloud features, Telnet, and any other services that aren't required for your cameras to function. Each enabled service is additional attack surface.
Medium-Term: Build an IoT Security Practice
- Inventory all IoT devices. You can't secure what you don't know about. Create and maintain a complete inventory of every IoT device on your network, including firmware versions. Most organizations lack complete visibility into their IoT devices.
- Establish a firmware update schedule. Quarterly at minimum. Subscribe to vendor security advisories so you're aware of patches when they're released, not months later.
- Monitor IoT traffic. Deploy network detection tools that can identify anomalous behavior from IoT devices—unexpected outbound connections, port scanning, or communication with known malicious infrastructure.
- Vet your vendors. Before purchasing IoT equipment, evaluate the vendor's security track record, vulnerability disclosure process, and patch support timeline. A device that's 30 percent cheaper but has a history of critical vulnerabilities and slow patches isn't actually cheaper when you factor in the security risk.
Long-Term: Plan Your Replacement
For organizations still using Hikvision or Dahua equipment, the combination of recurring critical vulnerabilities, state ownership concerns, and government restrictions should inform a planned transition to alternatives. NDAA-compliant manufacturers with stronger security track records include Axis Communications (Sweden), Hanwha Vision (South Korea), Bosch (Germany), and Avigilon/Motorola Solutions (U.S./Canada). These alternatives cost more—Hikvision cameras can be significantly cheaper, with price premiums for NDAA-compliant alternatives ranging from modest to several times the cost depending on the brand and model—but the total cost of ownership calculation should include the security overhead of maintaining high-risk equipment on your network.
As we explored in our article on supply chain attacks and software trust, the vendor you choose to trust with access to your infrastructure matters. With surveillance equipment, that trust extends to a device that can see and hear everything in your physical environment while simultaneously sitting on your network.
The Broader Lesson
The Hikvision story is really a story about the IoT security gap that exists in most organizations. Businesses invest in endpoint security for laptops and servers, deploy ransomware prevention tools, and train employees on emerging threats. But the cameras in the hallway, the badge reader at the door, and the smart thermostat in the server room often receive none of that attention—even though they sit on the same network and face the same threats.
IoT malware attacks increased 107 percent in the first half of 2024 compared to the same period in 2023. Research from NETSCOUT found that an average IoT device is attacked within five minutes of being connected to the internet. The threat is active, it's growing, and it targets the devices that organizations are least prepared to defend.
The camera you installed to watch the front door might be watching for you. But someone else might be watching through it—and using it to walk right into your network.
This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified cybersecurity professionals to assess their specific IoT security needs and develop appropriate policies.