Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits

By: IPVM Team, Published on May 02, 2018

This list compiles reported exploits for security products, and is updated regularly.

We have summarized exploits by date and by manufacturer, providing a brief description of the exploit along with affected product(s) and firmware version(s), when known.

Historical List Of Exploits

This list contains a summary of known exploits in reverse chronological order. Additional details are provided in a section for each manufacturer below. Manufacturers with an asterisk (*) next to their name indicate products that were OEM'd under multiple brand names beyond the original manufacturer listed.

  • April 2020 - China Surveillance Vulnerabilities Used To Attack China - Anonymous-affiliated pro-Tibet activists Target PRC government by exploiting known vulnerabilities in equipment manufactured by Xiongmai and Dahua.
  • March 2020 - LILIN Vulnerabilities Used by DDoS Botnets - 3 Vulnerabilities: command injection vulnerabilities with NTUpdate, FTP, and NTP, hardcoded credentials, and arbitrary file reading vulnerability with LILIN DVRs.
  • February 2020 - Chinese NVR/DVR Vulnerability - Huawei (HiSilicon) backdoor uses a combination of port knocking to open enable telnet along with hardcoded root credentials.
  • February 2020 - Bosch, Multiple Self-Reported Vulnerabilities: two 10.0 critical vulnerabilities along with 8.6 and 7.7 rated vulnerabilities. The first 10.0 vulnerability affects Bosch BVMS and uses deserialization of untrusted data which attackers can use to remotely execute code. The other 10.0 vulnerability applies to their Video Streaming Gateway and is also remotely exploitable due to the VSG services missing authentication for critical functions.
  • January 2020 - Honeywell Maxpro VMS & NVR Vulnerability - Attackers are able to remotely execute code and via SQL injection vulnerability an attacker can could gain unauthenticated access to the web user interface with admin rights.
  • December 2019 - Wyze Massive Data Leak - Millions of users' account data was exposed publicly including email addresses, usernames, WiFi SSIDs, and more.
  • September 2019 - Dahua Critical Vulnerabilities - 5 Vulnerabilities; one is 9.8 / 10 CVSS score and the others are 7.0 - 9.0. The most severe allows an attacker to execute malicious code on the camera.
  • October 2019 - iSeeQ DVR Vulnerability - The Hybrid DVR WH-H4 1.03R, unauthenticated access to the live stream via the get-jpeg script which can be access locally and remotely.
  • September 2019 - ONVIF Exposure To " Devastating DDoS Attacks - A vulnerability within WS-Discovery makes it possible for public facing devices to be used in a DDoS attack
  • August 2019 - Dahua Wiretapping Vulnerability - Allows unauthorized access to the audio stream on affected cameras
  • May 2019 - LifeSafety Power NetLink Vulnerabilites - Allows unauthorized access to clear text passwords and more in firmware for devices used to control and monitor access control power.
  • December 2018 - Bosch VDOO 2018 Vulnerability - A critical vulnerability that is difficult to discover and requires sophisticated hacking skills to exploit.
  • August 2018 - Hikvision IP Camera Critical Vulnerability - Exploiting the vulnerability allows attacks to either take over the device or crash the camera.
  • July 2018 - Sony Talos 2018 Vulnerabilities - Allows commands to be executed without Admin credentials, however attacker needs to know what commands to execute so it is more complex than some other, simpler vulnerabilities.
  • June 2018 - Axis VDOO 2018 Vulnerabilities - Results in root access, however the attack process is very complex, requires multiple steps and requires advanced linux knowledge and hacking skills.
  • April 2018 - TBK (and OEMs) Vulnerability Provides Clear Text Credentials - a curl / http command provides the admin credentials of affected DVRs in plain text.
  • April 2018 - Hikvision Critical Cloud Vulnerability - just knowing the registered email/phone number can get admin access. Note this was resolved before the date of disclosure.
  • April 2018 - TVT Backdoor, Hardcoded authentication to download remote system configuration - including login and password in clear text
  • January 2018 - Geovision 15 Backdoors and Vulnerabilities, including remote root access and clear text credentials
  • December 2017 - Axis Vulnerabilities linked to DHCP and UPnP libraries in BisyBox, and vulnerability in CGI executables
  • November 2017 - Hikvision Wifi cameras have hard-coded SSID, allows for rogue access point attack (7)
  • November 2017 - Vivotek remote stack overflow vulnerability (3)
  • November 2017 - Dahua Hard-coded backdoor credentials in camera and NVR firmware (6)
  • October 2017 - Uniview recorders vulnerable to admin password retrieval backdoor
  • August 2017 - Hikvision Tools allows admin password reset in older firmware (6)
  • August 2017 - Hikvision iVMS-4200 stores passwords with reversible encryption (5)
  • August 2017 - NeoCoolCam - iDoorbell product buffer overflow vulnerability allow various exp loits
  • July 2017 - Dahua - Buffer overflow vulnerability in password field (5)
  • July 2017 - Vivotek - CGI script exploits (2)
  • July 2017 - Axis - Buffer overflow vulnerability in 3rd party software toolkit used for ONVIF (3)
  • June 2017 - FLIR - Vulnerabilities allow remote code execution, unauthenticated viewing of live images, and reveal hard-coded accounts
  • June 2017 - Persirai botnet attacks various consumer/SMB-oriented cameras.
  • May 2017 - Hanwha - User can exploit cached data from a previous session to gain access to certain recorders
  • March 2017 - Hikvision - Backdoor allows unauthorized access to admin interface (4)
  • March 2017 - Axis - Multiple vulnerabilities related to CSRF attacks (2)
  • March 2017 - Dahua - Backdoor allows attacker to read user/password list (4)
  • March 2017 - Ubiquiti - Command injection vulnerability
  • February 2017 - Geutebrück - Authentication bypass.
  • February 2017 - Dahua - Multiple vulnerabilities in DHI-HCVR7216A-S3 recorders (3)
  • December 2016 - Sony - Attackers can remotely enable telnet on cameras.
  • December 2016 - Hikvision - servers susceptible to XXE exploit. (3)
  • November 2016 - Milesight - Cameras have a number of vulnerabilities that allow remote exploit.
  • November 2016 - Siemens - Remote privilege escalation possible via exploiting web interface.
  • October 2016 - NUUO - Insecure default credentials. (2)
  • October 2016 - Dahua*, XiongMai - Mirai botnet. (2)
  • September 2016 - AVer - EH6108H+ DVR Multiple vulnerabilities
  • August 2016 - NUUO - Remote root exploit and remote command injection vulnerability. (1)
    • July 2016 - Axis - Remote root exploit. (1)
  • July 2016 - Pelco - Digital Sentry hard coded username/password backdoor.
  • March 2016 - TVT* - Remote code execution.
  • March 2016 - HID - Command injection vulnerability allows attacker full control of device.
  • Febrary 2016 - Unknown DVR OEM - Authentication bypass, other issues.
  • August 2015 - Dedicated Micros - Devices have no default password, allowing full access.
  • June 2015 Avigilon - ACC - Allows attackers to read arbitrary files.
  • October 2014 - Bosch - 630/650/670 Recorders - Multiple exploits allow an attacker to get root console and also retrieve config data.
  • September 2014 - Hikvision - 7200 series NVRs - Buffer overflow to gain root access. (2)
  • November 2013 - Dahua* - DVR's/NVR's - Execute admin commands without authentication (1)
  • November 2013 - Vivotek - RTSP stream authentication can be bypassed. (1)
  • August 2013 - Hikvision - IP Cameras - Remote root exploit. (1)

Exploits For Specific Companies


Firmware verion X9., and possibly earlier versions, contain multiple vulnerabilities including hard-coded admin-level accounts and authentication bypass exploits. Additional details in CERT report.


ACC versions prior to and prior to allowed for arbitrary files to be retrieved through specially crafted URLs, giving anyone with remote access to the server the ability to access files at will, without authentication, making this a critical vulnerability. Additional details are in the CVE Report for this vulnerability.


Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

(4) Axis announced patches for vulnerabilities common to DHCP and UPnP code in BusyBox linux, and also for information disclosure vulnerabilities in CGI executables. Additional details in Axis 5 Vulnerabilities Examined.

(3) An exploit in a toolkit used for ONVIF support in Axis, and other brands, was discovered. While it has the potential to impact multiple products, proof-of-concept code was only developed/shown for Axis products.

(2) A Google researcher identified multiple vulnerabilities in Axis cameras. The vulnerabilities are relatively low risk, and are primarily patched in newer firmware, but could have the potential to disable or alter camera functionality if successfully used.

(1)Products with firmware from versions 5.20.x to 6.2.x had a vulnerability that allowed for an attacker to gain access to a root console on the device, allowing them full control of the device. Attackers did not need to know usernames/passwords, or other information about the product in order to exploit it, making this an extremely severe vulnerability. Axis issued a press release on this exploit, and IPVM covered the Axis exploit as well.


DVR 630/650/670 units with firmware version 2.12, and possibly older versions, are vulnerable to exploits where attackers can send specially-crafted URLs to the device to enable telnet access, which provides a root console that does not require authentication. No special software is required to carry out this attack. Vulnerability details and proof of concept examples are listed in ExploitDB under ID 34956.


(6) Hard-coded credentials were found in firmware for cameras and NVRs, allowing for rogue firmware uploads. Additional detail: Dahua Hard Coded Credentials Vulnerability.

(5) A buffer overflow vulnerability was discovered in Dahua cameras where excessive-length password text can be entered, triggering an overflow. Additional coverage: Dahua Suffers Second Major Vulnerability, Silent.

(4) Dahua cameras and DVRs/NVRs expose a config file containing username/password info to unauthenticated HTTP requests. Additional coverage: Dahua Backdoor Uncovered.

(3) Vulnerabilities found in Dahua's DHI-HCVR7216A-S3 recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.

(2) Dahua camera and NVR firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which took down internet sites and service providers in October 2016. Products OEM'd from Dahua, which include multiple brands such as FLIR and Honeywell, were also affected.

(1) Recorders with firmware 2.608 could be exploited to accept certain admin commands without authentication, allowing an attacker to retrieve configuration information from the device to change user passwords. ExploitDB contains additional details under ID 29673

Dedicated Micros

Dedicated Micros DVRs, including at least DV-IP Express, SD Advanced, SD, EcoSense, and DS2, ship with no default credentials, and insecure protocols enabled. This can allow attackers to take over the device and/or to sniff network traffic during setup. Additional details in VU 276148.


Multiple vulnerabilities, with no firmware fix, including ability to see live images without authentication, remote code execution, and hard-coded accounts, outlined in Beyond Security disclosure. Additional details and analysis in: FLIR Thermal Camera Multiple Vulnerabilities, Patch Released.


In firmware older than December 2017 one can gain root access with either a curl command within CLI or http in a browser. This is a simple copy / paste / enter specific IP address. There are 15 separate vulnerabilities that range from capturing a screen shot to printing the camera credentials in clear text. IPVM covered this here.


In G-Cam/EFD-2250 with firmware version an authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access control that may allow remote code execution. Details in ICS CERT Advisory.


SRN-4000, SRN-1673S, SRN-873S, and SRN-473S recorders have a vulnerability in some firmware versions where a user who was previously logged into an affected device and use cached data/files to gain access to the same recorders management interface, bypassing the standard authentication screen. Additional detail in the ICS-CERT release and Hanwha Vulnerability Analysis report.


VertX and EDGE systems with firmware prior to March 2016 are susceptible to a command injection exploit, where an attacker can cause the controllers to lock or unlock doors without authentication, as well as perform a number of other functions on the controller. This vulnerability was detailed on Trend Micro's blog, technical details can be found in this github repository.


(7) Some Hikvision Wifi cameras attempt to connect to SSID "davinci" by default, allowing an attacker to setup a rogue access point with this SSID to gain access to camera for further exploit.

(6) Hikvision's algorithm for generating security codes to reset admin passwords is cracked, with tools released to enable easy code generation.

(5) iVMS-4200 has password recovery feature that divulges admin password encrypted with reversible method.

(4) A potential vulnerability was first reported in March 2017, and then verified in a US Department of Homeland Security release. Attackers can bypass authentication measures to get access to admin-level features in the web interface of affected Hikvision cameras.

(3) A security researcher found servers vulnerable to an XML External Entity (XXE) exploit. This vulnerability allowed the researcher to retrieve arbitrary files from the server, exposing users to the risk of having data on the public IP/port of their registered devices exposed. Further coverage available in our Hikvision cloud server vulnerability report.

(2) NVR's with firmware 2.2.10, and possibly other versions, contain a vulnerability that allows for a buffer overflow attack, enabling attackers to gain control of the device. This vulnerability was examined and described by research firm Rapid7. Hikvision

(1) Hikvision IP cameras with firmware v4.1.0 b130111, and possibly other versions, can be attacked to gain access to the admin account, bypass authentication entirely using hard-coded credentials, or to execute arbitrary code through a buffer overflow attack. Core security issued a report detailing these exploits.


Milesight camera firmware prior to ~November 2016 may contain a number of vulnerabilities including hard-coded credentials and the ability to execute admin commands via unauthenticated CGI calls, making the cameras highly vulnerable to attacks.


HTTP and RTSP service are vulnerable to multiple forms of buffer overflow attacks. Devices use uPNP to open ports in firewall, making them exposed by default in many installs. ~170K units impacted. Full details in Bitdefender whitepaper on NeoCoolCam vulnerability.


(2) Nuuo NT-4040 Titan firmware version NT-4040_01.07.0000.0015_1120, contains default credentials of admin:admin, and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device. Further information can be found in CERT Vulnerability Listing for this issue.

(1) Multiple devices, including the NVRmini, NVRmini2, Crystal, Titan and NVRSolo with firmware prior to 3.0.8 have multiple vulnerabilities that allow for remote code execution, remote root exploit, remote file deletion, and other attacks. Exploits are listed on ExploitDB under multiple IDs, including: 40200, 40209, 40210, 40211, 40212, 40213, 40214, 40215. Each of these represents a critical vulnerability that is easy for an attacker to execute against the device.

Unknown DVR OEM

An unknown manufacturer of DVR's sold under various brands has firmware with multiple exploits, including ability to bypass authentication and get telent access. Details can be found on the researchers blog.


Digital Sentry products running firmware prior to 7.13.84 contained a hard-coded admin account that could be used to take full control of the device by a remote attacker. IPVM covered this vulnerability when it was made public, and CERT also contains additional details.


Attackers can remotely enable telnet on Gen 5 and Gen 6 cameras with firmware prior to 1.86.00 and 2.7.2 respectively, enabling them to potentially login as root. Additional details in our coverage of this exploit.


Specially crafted URLs allow an attacker to gain admin-level privileges on affected cameras. List of affected cameras and recommended firmware versions to resolve this issue are provided by Siemens.


Specially crafted URLs can be used to cause the recorders manufactured by TVT to execute arbitrary commands. At least 79 distinct brands OEM'd these units, including well-known brands like ADI and Q-See. Rotem Kerner documented the exploit on his site, and also provided IPVM with additional details on how he crafted the exploit.


A command injection vulnerability was reported in firmware prior to AirOS 8.0.1. Relatively low risk of exploit, but could enable severe holes in network, such as reverse shells, if properly executed.


Admin password hash can be retrieved from Uniview recorders, and then used to login as admin, allowing full access. Details covered in Uniview Recorder Backdoor Examined.


(3) Potential for stack overflow, likely resulting in denial of service, via malformed URL calls. Details in Vivotek Remote Stack Overflow Vulnerability.

(2) CGI scripts on Vivotek cameras can be used to access files and run commands as root. Additional coverage: Wrongly Accused Critical Vulnerability for Vivotek

(1) Firmware 0105a, 0105b, and possibly other versions, are susceptible to having RTSP authentication bypassed, allowing video streams to be viewed without authentication. Firmware after 0301c should not be affected. Additional information from Core security: Vivotek RTSP auth bypass.


Xiongmai firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which targeted Dahua and Xiongmai devices, and took down internet sites and service providers in October 2016. Due to Xiongmai being primarily an OEM component supplier, many affected products were sold under alternate brands.

29 reports cite this report:

China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Top 2020 Trend - AI Analytics on Nov 22, 2019
170+ Integrators answered: What do you think will be the top industry trend in 2020? Why? For the 4th year in a row, AI/video analytics was...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Video Surveillance History on Jul 19, 2019
The video surveillance market has changed significantly since 2000, going from VCRs to an emerging AI cloud era. The goal of this history is to...
RaySharp Revealed - Major China OEM For Western Consumer Video Surveillance on Jul 02, 2019
RaySharp is mostly unknown, even among people in the video surveillance industry, though it is a major supplier of OEM surveillance equipment such...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
2019 Video Surveillance Cameras State of the Market on Jan 07, 2019
Each year, IPVM summarizes the main advances and changes for video surveillance cameras, based on our industry-leading testing and...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec Self-Discloses Critical Vulnerability on Jul 31, 2018
In an unprecedented move for the video surveillance industry, Genetec has self-disclosed a critical software vulnerability across Security Center...
Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance devices. Now Talos researchers have discovered multiple vulnerabilities in...
Canon Responds To IP Camera Hacks on May 30, 2018
Canon cameras made international news earlier this month, with reports of them being hacked in Japan (e.g., Hackers disable scores of Canon-made...
Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
GDPR For Video Surveillance Guide on Apr 12, 2018
The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, but there is much confusion and no clear guidelines on...
VMS New Developments Spring 2018 (Avigilon, Exacqvision, Genetec, Hikvision, Milestone, Network Optix) on Apr 04, 2018
What's new with VMS software? In this report, we examine new features and releases for Spring 2018 to track different areas of potential...
ADI W-Box Dropping Hikvision, Using Sunell (Tested) on Mar 05, 2018
The next generation of ADI's W-Box (ADI's competition against their manufacturing partners) is here. And unlike the previous generation, which was...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2020, with more and more users relying on mobile apps as their main way of operating the system....
IP Cameras Default Passwords Directory on Feb 09, 2018
Below is a directory of 50+ manufacturer's default passwords. Note: Change Default Passwords Leaving default passwords is dangerous and makes it...
Geovision Unprecedented Security Vulnerabilities And Backdoor on Feb 06, 2018
Cybersecurity vulnerabilities have plagued the video surveillance market. Now, Bashis, discover of the Dahua backdoor, has discovered 15...
Strong Outlook For 2018 on Dec 27, 2017
Integrators entered 2017 with a positive outlook on the industry. During 2017 we saw the race to the bottom hit bottom, cyber security...
2018 Video Surveillance Cameras Overview on Dec 11, 2017
This report concisely explains the developments for surveillance cameras offered in 2017 and the state of offerings going into 2018, including...
Exacq M Series Low Cost NVR Tested on Oct 12, 2017
With recent cyber security issues hitting NVRs and cameras from low cost leaders Dahua and Hikvision, users are increasingly seeking alternatives...
IP Camera Specification / RFP Guide 2017 on Aug 14, 2017
RFPs are hard. Do them 'right' and it takes a lot of knowledge and time. Do them 'wrong' and you can be (a) unwittingly locked into a specific...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some other company's product. The same goes for easily 100 different...
Dahua Backdoor Uncovered on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by...
VPNs for Video Surveillance Guide on Feb 07, 2017
Remote access in surveillance networks is a key cyber security and usability issue. With cyber attacks rising, how can users ensure their systems...
10 Manufacturer Cyber Security Compared on Dec 13, 2016
With the rise in exploits and growing awareness of cyber security issues in video surveillance, we tested ten different manufacturer's cameras....
Top Surprises in the Video Surveillance Industry 2016 on Nov 29, 2016
The top 3 surprises of 2016 for integrators surveyed by IPVM were: The race to bottom, repeating 2015's Top Surprise Result New -...
IP Camera Firmware Upgrade Directory on Aug 28, 2014
Firmware updates are more vital than ever, with numerous critical vulnerabilities and backdoors discovered in the past year alone. Keeping...

Comments (46)

Only IPVM Members may comment. Login or Join.

If you know any exploits not listed here, please comment and I will update the report.

This is a great list!

This is a very useful list.

There is a Vulnerability regarding Dedicated Micros DVR, Note VU#276148.

Thanks, added.

Well so far, firmware updates seem to the standard thing to stay on top to combat the bulk of these vulnerabilities. This is irregardless of any manufacturer... Unfortunately, some companies are better about disseminating those updates than others.

Dahua, I sell your ****, but I know your ****. Get your **** together so I can sell more and tech less dammit!

Honestly though, my Dahua rep's been pretty good at getting us firmware, but having to work with her timezone to get support tends to be inconvenient. Having a regularly updated FTP directory of firmware (that isn't PAL focused) would be lovely. I'm about ready to start hosting it myself... I think though I want do it differently from and

Robert Dahua factory FTP has both Pal and Ntsc firmwares, and is updated daily, are you working with the factory directly?

Yeah, but asking them for every single one when you aren't the primary tech support guy and just a sales engineer isn't very productive. My primary project manager is about as paranoid about firmware as it gets. Also...the great firewall of China has been nothing short of a pain in the ass for them to get support out to us as easily as they want.

Even the DahuaWiki, maintained by DahuaUSA itself doesn't get to access the firmware direct from the FTP.

whats the url?

the biggest exploit is the careless user/installer who does not change

default login credentials.

go to shodan hq

search for any manufacturers device

enter with default login

do as you want

Agreed, but manufacturers don't need to help. :)

Not surveillance but close:

HID VertX door controller exploit:

Access control product exploits will be included as well, thanks for the link.

Vivotek RTSP authentication bypass

Bosch DVR 600 series root shell access exploit

Thanks, added these in.

This is excellent - add my vote to expanding this to include other security products.

This has the potential to be a good resource for anyone (like me) wanting to promote network security services for security systems.

Would you consider adding some indication on what the manufacturer's response history is like when confronted with a vulnerability? If I'm recommending a product I'm not concerned with the fact that there was a historic problem, I'm concerned about how the manufacturer responded to the problem (and would likely respond to a future vulnerability).

Thanks for taking this initiative!

John -

The response history suggestion is a good one, I will try to add that in when we have enough data to do so.

Siemens branded IP cameras? I would guess that's probably an OEM...?

Added Geutebrück - Authentication bypass vulnerability to the list.


Another Web authentication bypass vulnerability for a very common DVR was found, this DVR is OEM by many vendors  and could be found under many names

Currently Shodan  shows more than 23000 devices online.


Thanks, I filed it as "Unknown DVR OEM" unless you know the actual manufacturer and/or most common brands affected?

Added Dahua Backdoor to this list, which is current, and also an entry for AVer DVR EH6108H+ from September 2016 that lists hard-coded accounts and an authentication bypass exploit.

This report has been updated with some new entries for March 2017:

  • March 2017 - Hikvision(4) - Backdoor allows unauthorized access to admin interface
  • March 2017 - Axis(2) - Multiple vulnerabilities related to CSRF attacks
  • March 2017 - Ubiquiti - Command injection vulnerability

I have a better idea of the vulnerabilities of each model of surveillance cameras.

UPDATE: Added latest vulnerabilities linked to Axis (ONVIF support software toolkit) and Dahua, both being buffer-overflow related.

UPDATE - added a buffer-overflow vulnerability found in NeoCoolCam iDoorbell units. A whitepaper describing the vulnerability shows a proof of concept exploit as well.

How Cyber Aware are you really?

Cyber Security is my primary role and function for large organization I work for, Regulatory Compliance is the name of the game these days.  With a very large Global Enterprise and tens of thousands of connected devices I spend the first part of my daily routine reading what is going on in the "dark world" to stay on-top of stuff before I am told by EIS to shut it down until its fixed. 

Part of the challenge in this industry is the manufacturers are not as Security Aware as they claim to be, the technologies are way behind traditional IT and lack the ability to use standard scanning and testing tools to help keep things in check.  Case in point is Devils Ivy, how many of your Camera and VMS Partners have reached out to you to share their potential risk and their patching strategy?.  Its usually the other way around where I am calling them giving them the ICS-Cert to investigate and respond.

Now days the IT/Security Requirements trump (pardon the pun) User Requirements, times have changed. How educated are you in knowing what you sell to end users and how it puts their organization at great risk?  This is just not about some simple anti-virus app you load, you must select the right products for your Enterprise.

What do you know about the following and how to you manage it in your world?

  • Using IPv6 Complaint Products
  • 802.1X (Certificate Management)
  • OS/Firmware Patch Management
  • Drift Management
  • Baseline Configuration Management
  • Asset and Change Control Management
  • Vendor Access to connected devices with non-whitelisted computers (that is scary)

Hope everyone is following ICS-Cert to keep up with what is going on and not waiting for manufacturers to share with you what they want.

In closing, how many of you still have Windows XP OS systems out there, its EOL and no longer supported so you cannot get updates if you wanted to.  Yes Microsoft made an exception for "Wanna Cry SMB" but that is only because it was so wide spread and there are so many folks that failed to get off of XP.  What do you do in 2020 when those systems you use that have Windows 7 is EOL and not patched any more, that is only a few years away and many manufactures are still shipping products TODAY that use a OS that will be obsolete January 2020. 

Might be time to start a new thread on Cyber Security Awareness and what the industry is doing, some folks do it very well and lead the pack and other just don't think anything about it.

Food for thought to chew on!



Thanks for stating that so clearly. Ideally I'd like each security manufacturer to have a cyber security policy which stated the following:

1/ point person at the manufacturer to answer vulnerability requests

2/ company commitment on vulnerability response (disclosure, updates)

3/ "opt-in" e-mail list for clients to be notified of a cyber vulnerability

4/ commitment to cyber best practices (I know, hard to enforce)

Does anyone know of a manufacturer who has done ANY of this? Any additions to this list?

These manufactures do it very good, reach out them respectively and ask for their Hardening Guides and IT Security Whitepapers.  They all have very public sites to share their Cyber Awareness, this is just a sample of what some manufacturers are doing.  IMO Genetec sets the bar for the industry, they do "Security of Security"


UPDATE: GeoVision's Backdoor and Vulnerabilities has been added.  This provides remote root access, clear text credentials, and a variety other levels of unauthorized access.

UPDATE: This report has been updated with the TVT Backdoor. This provides hardcoded authentication to download remote system configuration - including login and password in clear text.

UPDATE: This report has been updated with the Hikvision Cloud Vulnerability. Just knowing the original email / phone number used for registration can be used to gain access.  Note this was resolved before the date of disclosure.

In cases like this where the exploit was resolved by the time it was disclosed, shouldn't the phrasing be different? Saying "can be used to gain access" suggests it's still a vulnerability, except maybe in the context of a change log under a heading like "Issues fixed since version x.y.z".

U7 - Thank you, I added a note stating that the issue was resolved before the date of disclosure.

UPDATE: This report has been updated with TBK Vulnerability which provides the admin credentials of affected DVRs in plain text. This applies to Q-See, Night Owl, and more OEMs.

This report has been updated with the Axis VDOO vulnerabilities, which results in root access, however the attack process is very complex, requires multiple steps and requires advanced linux knowledge and hacking skills.

Recently, multiple vulnerabilities were discovered in Sony IPELA E Series cameras. These include command injection and stack buffer overflow exploits. We have tested and verified the proof of concept and will have a more detailed post shortly.

UPDATE: This report has been updated with the Sony Gen 5 / Talos vulnerabilities.  This allows commands to be executed without Admin credentials, however attacker needs to know what commands to execute so it is more complex than some other, simpler vulnerabilities.

This is a massive research and very informative regarding cyber space in surveillance industry. This is a wake up call for each and every integrator to fix what is not doing in our industry. Putting our heads together may help as problem shared is problem solved anyway! 

This report has been updated with the Bosch / VDOO critical vulnerability report.

This report has been updated with the LifeSafety Power NetLink Vulnerabilites report. This allows unauthorized access to clear text credentials, and more. The devices affected are used to control and monitor access control power.

Wow, that is good to know. Keep companies on their toes!

This report has been updated with the Dahua wiretapping Vulnerability.  This allows unauthorized access to the audio stream on affected cameras even when audio has been disabled.

This report has been updated with the Honeywell vulnerability and four vulnerabilities from Bosch, of which two are 10.0 critical vulnerabilities.

This report has been updated with the Chinese DVR/NVR backdoor vulnerability.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2019 on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...

Most Recent Industry Reports

IPVM's 12th Anniversary - Thank You! on Apr 07, 2020
IPVM is proud to celebrate it's 12 anniversary expanding our commitment to providing the industry independent and objective information on video...
Mobotix Thermal Body Temperature Detection Examined on Apr 07, 2020
Mobotix has jumped into the Coronavirus temperature detection market, but how do they compare to thermal incumbents like FLIR or ICI who have been...
Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020
Verkada has built a reputation on giving away things for free - free Yeti Tumblers, free trial cameras and now free temporary systems for...
Hikvision USA Refuses, Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but only one - Dahua - is taking aim at the booming "coronavirus cameras"...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19 with "pinpoint accurate skin temperature measurement" using their...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to delay implementation of the NDAA's 'blacklist' clause from this August...
Coronavirus Hits Manufacturers, Standing Now, Worse To Come on Apr 06, 2020
Coronavirus is hitting security manufacturers, though overall modestly for now, with worse expected to come, new IPVM survey results...
FLIR New Coronavirus Prioritized Temperature Screening Camera Examined on Apr 03, 2020
FLIR has announced a new series of thermal cameras "prioritized for entities working to mitigate the spread of COVID-19 virus", the A400/A700...
ADI Branch Burglary on Apr 03, 2020
A security systems distributor branch is an odd target for burglary but that happened this week at ADI's Memphis location. Vehicle Smash &...