Key Findings:

• Iran-linked hackers targeted IP cameras across Israel and several Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus.

• The goal appears to be reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting.

• Threat actors targeted vulnerabilities in Hikvision and Dahua IP cameras, such as improper authentication, command injection, and remote code execution flaws.

• Scanning and exploitation attempts have spiked since late February, often aligning with geopolitical tensions in the region.

• Similar patterns were observed during the June 2025 Israel-Iran conflict, when compromised cameras were likely used for reconnaissance and battle damage assessment.

Background

Cyber operations are increasingly used to support military activity and battle damage assessment (BDA). During the current Israel-Iran tensions, researchers from Check Point Software Technologies observed a surge in attacks targeting IP cameras across Israel and Gulf countries.

The activity, attributed to Iran-linked actors, relied on VPN and VPS infrastructure to scan devices, mainly Hikvision and Dahua Technology cameras, for known vulnerabilities. Researchers believe the goal was reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting.

Targeted Vulnerabilities

The threat actors targeted the following vulnerabilities in Hikvision and Dahua devices:

• CVE-2017-7921: Improper authentication vulnerability in Hikvision IP camera firmware

• CVE-2021-36260: Command injection vulnerability in the Hikvision web server component

• CVE-2023-6895: OS command injection vulnerability in Hikvision Intercom Broadcasting System

• CVE-2025-34067: Unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform

• CVE-2021-33044: Authentication bypass vulnerability in multiple Dahua products

Exploitation Attempts

Researchers analyzed exploitation attempts for CVE-2021-33044 and CVE-2017-7921 linked to infrastructure attributed to Iran. They also noted that proof-of-concept exploit code for the Dahua vulnerabilities has been publicly available since October 2021.

Timing of Attacks

Since early 2026, scanning activity targeting IP cameras has surged across Israel and several Middle East countries, often aligning with geopolitical tensions such as protests in Iran, U.S. military visits to Israel, and fears of potential strikes. Similar patterns appeared during the June 2025 Israel-Iran conflict.

Potential Military Applications

One case involved a camera near Israel's Weizmann Institute being compromised just prior to a missile strike on the facility. Researchers believe the compromised cameras were likely used for reconnaissance and battle damage assessment.

Recommendations for Defenders

• Reduce public internet access to cameras and place them behind VPN or zero-trust gateways

• Change default passwords, enforce strong unique credentials, and keep device firmware updated

• Run cameras on isolated network segments with restricted outbound traffic

• Monitor for repeated login failures, suspicious remote access, and unusual outbound connections

Sources

• https://securityaffairs.com/189069/cyber-warfare-2/iran-linked-hackers-target-ip-cameras-across-israel-and-gulf-states-for-military-intelligence.html

• https://www.wsj.com/livecoverage/iran-israel-us-strikes-2026/card/iran-attempts-to-hack-security-cameras-in-israel-and-gulf-countries-says-cyber-firm-n1QYjX8DxxBjYT1R6ZGq