Cyber threat actors, reportedly linked to Iran, have intensified their targeting of internet-connected IP cameras across the Middle East. This campaign, observed since late February 2026, involves coordinated efforts to compromise surveillance devices, raising significant concerns about the integration of cyber operations with physical military activities amid ongoing regional tensions.
The exploitation attempts surged significantly starting February 28, 2026, with a marked increase in attacks targeting IP cameras in Israel, the United Arab Emirates, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. Analysis by Check Point Research indicates that the infrastructure used in these attacks leverages commercial VPNs like Mullvad, ProtonVPN, Surfshark, and NordVPN, alongside virtual private servers, to obscure the attackers’ true origins.
The timing and scale of these assaults appear to be strategically aligned with geopolitical events. Earlier exploitation activity was documented on January 14–15, 2026, coinciding with a period when Iran closed its airspace due to fears of potential U.S. military intervention. Further increases in exploitation attempts were noted on January 24, coinciding with a visit by the U.S. Central Command commander to Israel for high-level discussions with the Israel Defense Forces chief of staff.
These observations, made through continuous monitoring of Iran-linked infrastructure, suggest that spikes in IP camera compromise attempts consistently correlate with major geopolitical developments. By early February 2026, as Iran’s leadership expressed heightened concern over a possible U.S. strike and messages from entities linked to the IRGC warned of a potential wider regional conflict, a distinct surge in camera exploitation was also documented.
Exploiting Known Vulnerabilities in Widely Deployed Devices
The primary targets of this campaign are IP cameras manufactured by Hikvision and Dahua, two of the most prevalent brands globally. These cameras are frequently installed in public spaces, critical infrastructure, and commercial buildings throughout the Middle East, making them high-value targets for actors seeking real-time visual intelligence. Notably, the observed exploitation attempts have exclusively focused on these two manufacturers, with no activity directed at cameras from other companies.
The implications of this campaign extend beyond conventional cyber espionage. Reports suggest that during the 12-day conflict between Israel and Iran in June 2025, compromised cameras may have been utilized for battle damage assessment and target correction. One concerning incident cited involved Iran’s missile strike on Israel’s Weizmann Institute of Science, where Iranian actors reportedly gained control of a street-facing camera near the facility shortly before the strike. These findings indicate that the compromise of IP cameras could be functioning as a direct operational tool in kinetic warfare.
Check Point Research’s analysis has identified five specific known vulnerabilities being exploited on Hikvision and Dahua devices. These include CVE-2017-7921 (improper authentication in Hikvision firmware), CVE-2021-36260 (command injection in Hikvision’s web server), CVE-2023-6895 (OS command injection in Hikvision’s Intercom Broadcasting System), CVE-2025-34067 (unauthenticated remote code execution in Hikvision’s Integrated Security Management Platform), and CVE-2021-33044 (authentication bypass affecting multiple Dahua products). While manufacturers have released patches for all these vulnerabilities, many devices remain unpatched and accessible directly from the internet, creating significant security gaps.
Exploitation waves have been particularly sharp against Israel and Qatar, with measurable activity also recorded in Bahrain, Kuwait, the UAE, Cyprus, and Lebanon. The convergence of these cyber activities with escalating geopolitical tensions highlights the evolving landscape of modern conflict, where digital infrastructure is increasingly weaponized alongside traditional military assets. Organizations operating surveillance systems across the region are urged to take immediate action to mitigate their exposure.
Recommendations for organizations include removing camera systems and Network Video Recorder (NVR) devices from direct internet access and securing them behind a VPN or a zero-trust access gateway. It is crucial to replace default credentials with strong, unique passwords, and to ensure all firmware and management software are regularly updated. End-of-life devices that no longer receive security patches should be retired or replaced. Additionally, placing cameras on isolated VLANs and strictly limiting outbound traffic to essential endpoints can enhance security. Security teams should maintain vigilant monitoring for suspicious activities such as repeated login failures, unexpected remote access attempts, and unusual outbound connections originating from camera systems.