RESEARCHERS from Check Point Software Technologies observed that Iran-linked actors targeted IP cameras across Israel and Gulf states, including the UAE, Qatar, Bahrain, Kuwait, Cyprus, Lebanon, and Israel, for military intelligence and potential battle damage assessment. The activity relied on VPN and VPS infrastructure to scan Hikvision and Dahua cameras for known vulnerabilities, with targets at two manufacturers noted.
According to Check Point Cyber Security Report 2026, these operations coincided with escalating Israel–Iran tensions and broader regional unrest, and tracing shows intensified camera targeting from late February 2026, with additional activity around areas in Lebanon on 1 March. Earlier in January 14–15, researchers also observed more targeted camera activity in Israel and Qatar surrounding an Iranian airspace closure reportedly linked to expectations of a U.S. strike.
The experts list several CVEs exploited in Hikvision and Dahua devices, including CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067 and CVE-2021-33044, noting that Chinese manufacturers patched these issues. Defenders are urged to remove public internet access to cameras, use VPN or zero-trust gateways, enforce strong credentials, keep firmware updated, and monitor for repeated login failures and unusual outbound connections.