Security researchers Vangelis Stykas [link no longer available] and George Lavdanis [link no longer available] discovered a vulnerability in Hikvision's HikConnect cloud service that:
just by knowing the email,phone or username they used while registering, after that you can view the live feed of the cam/DVR, manipulate the DVR, change that user’s email/phone and password and effectively lock the user out
The researchers detail the process and the issues in this post. Hikvision HQ has acknowledged the vulnerability and released a fix.
Inside this note, we examine what the issue was, compare it to 2017's Hikvision IP Camera backdoor and explain why this one was a coding error and not anything to do with Hikvision's Chinese government ownership.