Researchers observed Iran-linked actors targeting IP cameras across Israel and Gulf countries, likely to support military intelligence and battle damage assessment.
According to the Check Point Cyber Security Report 2026, cyber operations are increasingly used to support military activity and battle damage assessment (BDA). During the Israel-Iran tensions, researchers from Check Point Software Technologies observed a surge in attacks targeting IP cameras across Israel and Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus. The activity, attributed to Iran-linked actors, relied on VPN and VPS infrastructure to scan devices, mainly Hikvision and Dahua Technology cameras, for known vulnerabilities.
“During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors.
The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced significant missile activity linked to Iran. On March 1st, we additionally observed camera-targeting activity focused on specific areas in Lebanon.” states Check Point Software Technologies.”
“We also observed earlier, more targeted activity against cameras in Israel and Qatar on January 14–15. These dates surround with Iran’s temporary closure of its airspace, reportedly amid expectations of a potential U.S. strike.”
EXPLORE MORE
US says ‘narcoterrorist’ cartel boss killed in Venezuela strike (VIDEO) — RT World News
The Pentagon said the operation to hunt down the leader of the…
Thomas Massie pushes back against move in Congress to integrate US, Israeli militaries
(LifeSiteNews) — After their bipartisan collaboration in successfully passing the Epstein Files…
Missing Juvenile Faith Blackstone from the 18th District
The Philadelphia Police Department is seeking the public’s assistance in locating a…
Missing Juvenile Ayanna Collins from the 22nd District
The Philadelphia Police Department is requesting the public’s help in locating a…
Democrat candidate stops attending church to avoid sitting with Trump voters
(LifeSiteNews) – Rebecca Bennett, a Democrat nominee for Congress in New Jersey,…
Russia-linked hackers target Signal, WhatsApp of officials globally
Russia-linked hackers are targeting Signal and WhatsApp accounts of government and military…
Researchers believe the goal was reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting.
Threat actors targeted the following vulnerabilities in Hikvision and Dahua devices:
| CVE | Vulnerability |
|---|---|
| CVE-2017-7921 | An improper authentication vulnerability in Hikvision IP camera firmware |
| CVE-2021-36260 | A command injection vulnerability in the Hikvision web server component |
| CVE-2023-6895 | An OS command injection vulnerability in Hikvision Intercom Broadcasting System |
| CVE-2025-34067 | An unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform |
| CVE-2021-33044 | An authentication bypass vulnerability in multiple Dahua products |
The experts state that Chinese manufacturers have patched all the above issues.
Researchers analyzed exploitation attempts for CVE-2021-33044 and CVE-2017-7921 linked to infrastructure attributed to Iran.
In October 2021, experts warned that proof-of-concept (PoC) exploit code was available for two authentication-bypass vulnerabilities in Dahua cameras, tracked as CVE-2021-33044 and CVE-2021-33045. A remote attacker can exploit both vulnerabilities by sending specially crafted data packets to the vulnerable cameras.
Since early 2026, scanning activity targeting IP cameras has surged across Israel and several Middle East countries, often aligning with geopolitical tensions such as protests in Iran, U.S. military visits to Israel, and fears of potential strikes.
Similar patterns appeared during the June 2025 Israel-Iran conflict, when compromised cameras were likely used for reconnaissance and battle damage assessment, including a case involving a camera near Israel’s Weizmann Institute before a missile strike.
“One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit” concludes the report.
Defenders should reduce risks by removing public internet access to cameras and placing them behind VPN or zero-trust gateways. Organizations should change default passwords, enforce strong unique credentials, and keep device firmware updated. Cameras should run on isolated network segments with restricted outbound traffic. Security teams should also monitor for repeated login failures, suspicious remote access, and unusual outbound connections.
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Hikvision multiple products improper authentication vulnerability CVE-2017-7921 (CVSS score of 9.8) to its Known Exploited Vulnerabilities (KEV) catalog.
