Summary
IP cameras are no longer just physical security tools, they’ve become a quiet but critical part of the cyber attack surface. This article explores how attackers are actively targeting exposed camera infrastructure using known vulnerabilities, and why gaps like outdated firmware, weak credentials, and poor segmentation continue to put organisations at risk. It highlights the need for better visibility and stronger controls to prevent cameras from becoming an easy entry point into corporate network
Your CCTV cameras might be giving someone a view they were never meant to have.
Recent threat intelligence from Check Point Research has highlighted something our team at Help AG has been seeing firsthand over the past year: IP cameras are no longer just a physical security asset. They have quietly become one of the most overlooked entry points in an organisation’s digital attack surface.
The research identified coordinated scanning campaigns targeting IP cameras across the Middle East, including the UAE, Qatar, Bahrain, and Kuwait. The intent was not random. Scanning activity was timed around real-world events, pointing to a deliberate effort by sophisticated threat actors to gain visibility into physical environments through internet-exposed camera infrastructure. When a camera feed can tell you what is happening on a factory floor, a datacentre, a government building, or a port, access to that feed has intelligence value well beyond the digital world.
What made the findings particularly striking was the vulnerability profile being exploited. Several of the CVEs being actively scanned for are not new. CVE-2017-7921, an improper authentication flaw in Hikvision firmware, is nearly a decade old. CVE-2021-36260, a command injection vulnerability in the same vendor’s web server component, has had a patch available for years. The authentication bypass affecting multiple Dahua products has been documented since 2021. These are not zero-days. They are known, patchable vulnerabilities that remain exploitable at scale because firmware updates on cameras are simply not treated with the same urgency as patches on servers or endpoints.
At Help AG, we have seen a significant uptick in requests for IP camera and physical security interface assessments over the past 12 months. When we conduct these assessments, the findings are consistent. Camera management interfaces are exposed to the internet with default or weak credentials. Firmware versions are several generations behind. Camera networks sit on the same VLAN as corporate IT infrastructure with no segmentation. In several cases, access to the camera management platform provided a viable pivot point into broader network access.
The gap between how organisations think about physical security technology and how attackers think about it is significant, and it is narrowing fast.
If your organisation operates IP cameras, whether in offices, datacentres, warehouses, or critical facilities, here are the questions worth asking today:
- Are your camera interfaces exposed to the internet? Management portals that can be reached from outside the corporate network without VPN access are an open invitation. Shodan and similar tools make finding them trivial. Attackers are already using them.
- When did you last update camera firmware? Vendors like Hikvision and Dahua release firmware updates that patch known vulnerabilities. If the last update predates 2022, there is a meaningful chance your devices carry exploitable flaws that have public proof-of-concept code available.
- Are your cameras on a segmented network? Camera traffic and management interfaces should sit in an isolated VLAN with strict controls on what they can communicate with. A compromised camera should not be a stepping stone to Active Directory.
- Have you changed default credentials? Default username and password combinations for the most widely deployed camera brands are publicly documented. In our assessments, we still encounter devices where this has never been done.
The convergence of physical and digital security is not a future trend. It is happening now, and the Middle East is squarely in the crosshairs of threat actors who understand that a camera is not just a camera.
If you would like to understand your organisation’s exposure, our team conducts targeted assessments of IP camera infrastructure, internet-facing management interfaces, and physical-digital attack paths. We find what an attacker would find, before they get the chance.
—
*Aneesh Anil Kumar | Help AG Offensive Cybersecurity Team
*Reference: Check Point Research, March 2026
