Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits

Cybersecurity vulnerabilities have escalated over the past few years and keeping track of who is impacted by each can be difficult.

This list, updated for 2024, compiles reported exploits for the security industry by date and by manufacturer, with a brief description of each exploit, the affected product(s) and version(s), and links to further reading for each.

Those interested in cybersecurity should also see our Cybersecurity Rankings reports:

• Cloud IP Camera Cybersecurity Rankings 2023 - Avigilon Alta, Eagle Eye, Meraki, Rhombus, Turing, Verkada
• IP Camera Cybersecurity Rankings - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, i-PRO, Uniview, Vivotek
• Cloud Access Cybersecurity Shootout - Alarm.com, Brivo, DMP, Feenics, Kisi, Openpath, PDK, Verkada
• NVR Cloud P2P Cybersecurity Rankings - Axis, Dahua, Digital Watchdog, Geovision, Hanwha, Hikvision, Speco, Uniview, Vivotek
• NVR Cybersecurity Rankings 2024 - Axis, Dahua, Digital Watchdog, Geovision, Hanwha, Hikvision, Speco, Uniview, Vivotek (ipvm.com)

Exploit Timeline

The timeline below shows a summary of each vulnerability along with a link to our reporting or other information.

Click to view this timeline full screen.

Exploits For Specific Companies

The list below sorts these exploits by each company for easier reference:

ADT

• January 2021 - ADT Technician Hacks Video Surveillance 9600+ Times For Sexual Gratification - Technician added his own email to customer accounts so he could log in to view customers, many of which had several underage children.

Aver

• September 2016 - Firmware version X9.03.24.00.07l, and possibly earlier versions, contain multiple vulnerabilities including hard-coded admin-level accounts and authentication bypass exploits. Additional details in CERT report.

Avigilon

• November 2023- Avigilon Alta 3 Vulnerabilities November 2023 Analyzed- Avigilon Alta has disclosed three vulnerabilities this month, which allowed Denial of Service (CVE-2023-39325), Arbitrary Code Execution (CVE-2023-39320), and Cross-Site Scripting (CVE-2023-3978).
• June 2015 - ACC versions prior to 4.12.0.53 and prior to 5.4.2.21 allowed for arbitrary files to be retrieved through specially crafted URLs, giving anyone with remote access to the server the ability to access files at will, without authentication, making this a critical vulnerability. Additional details are in the CVE Report for this vulnerability.

Axis

• November 2023 - 4 Vulnerabilities Analyzed. Axis disclosed four vulnerabilities, three affecting the VAPIX API and the fourth in Secure Boot.
• October 2023- Axis 3 Vulnerabilities October 2023 Analyzed- Axis has disclosed three vulnerabilities, one impacting ACAP applications, another Secure Boot, and the third in the VAPIX API.
• July 2023- Axis OSDP Implementation Vulnerabilities Analyzed- Axis disclosed 2 vulnerabilities impacting its access control products, CVE-2023-21405 and CVE-2023-21406, one of which also impacts some of its network intercoms. specifically with its implementation of OSDP
• May 2023- Axis Security Notification (CVE-2023-21404) Analyzed-A static RSA key vulnerability in Axis firmware <11.4.52 (CVE-2023-21404, CVSSv3.1: 4.1 Medium) was found. Exploitation requires remote access, enabled SSH, and administrator credentials and the practical risk of someone misusing the private RSA key is low because a password is required to decrypt it.
• December 2018 - Axis announced patches for vulnerabilities common to DHCP and UPnP code in BusyBox linux, and also for information disclosure vulnerabilities in CGI executables. Additional details in Axis 5 Vulnerabilities Examined.
• June 2018 - Axis VDOO 2018 Vulnerability
• December 2017 - Axis Vulnerabilities linked to DHCP and UPnP libraries in BusyBox, and vulnerability in CGI executables. See Axis' security advisory for more details.
• July 2017 - An exploit in a toolkit used for ONVIF support in Axis, and other brands, was discovered. While it has the potential to impact multiple products, proof-of-concept code was only developed/shown for Axis products.
• March 2017 - A Google researcher identified multiple vulnerabilities in Axis cameras. The vulnerabilities are relatively low risk, and are primarily patched in newer firmware, but could have the potential to disable or alter camera functionality if successfully used.
• July 2016 - Products with firmware from versions 5.20.x to 6.2.x had a vulnerability that allowed for an attacker to gain access to a root console on the device, allowing them full control of the device. Attackers did not need to know usernames/passwords, or other information about the product in order to exploit it, making this an extremely severe vulnerability. Axis issued a press release on this exploit, and IPVM covered the Axis exploit as well.

Bosch

• December 2023 - 3 Vulnerabilities Analyzed, which allowed command injection and denial of service.
• February 2020 - Bosch, Multiple Self-Reported Vulnerabilities: two 10.0 critical vulnerabilities along with 8.6 and 7.7 rated vulnerabilities. The first 10.0 vulnerability affects Bosch BVMS and uses deserialization of untrusted data which attackers can use to remotely execute code. The other 10.0 vulnerability applies to their Video Streaming Gateway and is also remotely exploitable due to the VSG services missing authentication for critical functions.
• October 2014 - DVR 630/650/670 units with firmware version 2.12, and possibly older versions, are vulnerable to exploits where attackers can send specially-crafted URLs to the device to enable telnet access, which provides a root console that does not require authentication. No special software is required to carry out this attack. Vulnerability details and proof of concept examples are listed in ExploitDB under ID 34956.

Cisco

• August 2019 - Several vulnerabilities in the RealTek SDK including stack overflows which accommodate remote code execution, and in the proof of concept, bashis is able to add and delete admin level access to credentials. See: Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More

Dahua

• January 2023- Dahua DSS Software 12 Vulnerabilities Discovered and Analyzed- IPVM found and reported 12 CVEs impacting around 3100 devices, with potential to chain attacks, resulting in system takeover. Additionally, a number of hidden features, some of which allow Server-Side Request Forgery (SSRF), Remote Code Execution (RCE), and unchecked ICMP requests, can be used for Distributed Denial of Service (DDoS) attacks.
• September 2021 - Dahua New Critical Vulnerabilities 2021 - Attackers may gain admin access to devices without credentials, potential for another mass hack.
• June 2021 - Hackers Add Backdoor To CCTV Security Pros / Dahua SmartPSS - Hackers Trojanized downloads of Dahua's SmartPSS from OEM's website, CCTV Security Pros.
• May 2020 - Dahua Critical Cloud Vulnerabilities - Dahua and 22 OEMs including Panasonic and Stanley had hard-coded cloud keys / passwords which were shared and could be used to ultimately gain full access to cloud connected equipment.
• September 2019 - Dahua Critical Vulnerabilities - 5 Vulnerabilities; one is 9.8 / 10 CVSS score and the others are 7.0 - 9.0. The most severe allows an attacker to execute malicious code on the camera.
• August 2019 - Dahua Wiretapping Vulnerability - Allows unauthorized access to the audio stream on affected cameras
• November 2017 - Hard-coded credentials were found in firmware for cameras and NVRs, allowing for rogue firmware uploads. Additional detail: Dahua Hard Coded Credentials Vulnerability.
• July 2017 - A buffer overflow vulnerability was discovered in Dahua cameras where excessive-length password text can be entered, triggering an overflow. Additional coverage: Dahua Suffers Second Major Vulnerability, Silent.
• March 2017 - Dahua cameras and DVRs/NVRs expose a config file containing username/password info to unauthenticated HTTP requests. Additional coverage: Dahua Backdoor Uncovered.
• February 2017 - Vulnerabilities found in Dahua's DHI-HCVR7216A-S3 recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.
• October 2016 - Dahua camera and NVR firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which took down internet sites and service providers in October 2016. Products OEM'd from Dahua, which include multiple brands such as FLIR and Honeywell, were also affected.
• November 2013 - Recorders with firmware 2.608 could be exploited to accept certain admin commands without authentication, allowing an attacker to retrieve configuration information from the device to change user passwords. ExploitDB contains additional details under ID 29673

Dedicated Micros

• August 2015 - Dedicated Micros DVRs, including at least DV-IP Express, SD Advanced, SD, EcoSense, and DS2, ship with no default credentials, and insecure protocols enabled. This can allow attackers to take over the device and/or to sniff network traffic during setup. Additional details in VU 276148.

Dormakaba

• January 2024 - Dormakada Saflok Key Derivation Function (KDF) Algorithm Cracked. The secret Key Derivation Function (KDF) algorithm in the Saflok RFID system from Dormakaba is cracked, allowing an attacker to calculate the card's unique keys quickly.

FLIR

• June 2017 - Multiple vulnerabilities, with no firmware fix, including ability to see live images without authentication, remote code execution, and hard-coded accounts, outlined in Beyond Security disclosure. Additional details and analysis in: FLIR Thermal Camera Multiple Vulnerabilities, Patch Released.

GeoVision

• July 2023- Geovision 9.8 Critical Vulnerability From Uniview Examined- The US government disclosed a critical 9.8 vulnerability in a Geovision camera, CVE-2023-3638, regarding improper authentication in a Geovision GV-ADR2701 IP camera. IPVM verified that this is not truly from Geovision but OEMed from Uniview
• January 2018 - In firmware older than December 2017 one can gain root access with either a curl command within CLI or http in a browser. This is a simple copy / paste / enter specific IP address. There are 15 separate vulnerabilities that range from capturing a screen shot to printing the camera credentials in clear text. IPVM covered this here.

Geutebrück

• July 2021 - G-Cam E2 and G-Code equipment is very similar to their vulnerability from 2017; an authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access control that may allow remote code execution. More details from CISA here.
• February 2017 - In G-Cam/EFD-2250 with firmware version 1.11.0.12 an authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access control that may allow remote code execution. Details in ICS CERT Advisory.

Hanwha

• November 2023- Hanwha SolidEdge Cameras High Severity Vulnerability 2023- IPVM discovered a vulnerability (CVE-2023-5747) with a high severity rating in the Wave VMS server upgrade function that allowed the execution of arbitrary system commands after authentication.
• May 2023- Hanwha 1 High and 2 Medium Security Vulnerabilities 2023- IPVM discovered and reported 3 vulnerabilities, 1 high and 2 medium severity, CVE-2023-31994, CVE-2023-31995, and CVE-2023-31996.
• May 2017 - SRN-4000, SRN-1673S, SRN-873S, and SRN-473S recorders have a vulnerability in some firmware versions where a user who was previously logged into an affected device and use cached data/files to gain access to the same recorders management interface, bypassing the standard authentication screen. Additional detail in the ICS-CERT release and Hanwha Vulnerability Analysis report.

HID

• January 2024- HID Discloses High Severity Vulnerabilities On Configuration Cards- HID released two high-severity CVEs on malicious configuration cards, and unauthorized encoders, CVE-2024-23806 and CVE-2024-22388, respectively.
• September 2023- HID Standard Profile Makes 13.56 MHz SE / Seos As Vulnerable As Cracked 125 kHz For Downgrade Attack-While 13.56 MHz HID SE and Seos are marketed as high security, they are just as vulnerable as long-cracked 125 kHz credentials in a downgrade attack on most HID readers. Risk of attack is high as even non-technical users can perform this attack using Flipper Zero, an ICS decoder, and the mail service, Mr. KeyFob. IPVM also tested this attack on a range of HID products.
• Mercury Security has 8 vulnerabilites including the highest possible 10.0 risk, and researchers recently demonstrated how to hack open a door while using one of the industry's biggest brands.
• March 2016 - VertX and EDGE systems with firmware prior to March 2016 are susceptible to a command injection exploit, where an attacker can cause the controllers to lock or unlock doors without authentication, as well as perform a number of other functions on the controller. This vulnerability was detailed on Trend Micro's blog, technical details can be found in this github repository.

Hikvision

• November 2023- Hikvision IP Camera And Recorder New High Severity Hik-Connect Vulnerability Analyzed- Hikvision has a new high-severity vulnerability, impacting cameras and recorders broadly, CVE - CVE-2023-48121,
• November 2023- Hikvision High Severity Vulnerability November 2023 Analyzed- Hikvision disclosed a high-severity vulnerability, CVE-2023-28811, affecting a wide range of its DVRs and NVRs.
• June 2023- Hikvision Access Control Vulnerabilities Analyzed- Hikvision disclosed 2 vulnerabilities in its access control / intercom products, CVE-2023-28809 and CVE-2023-28810.
• May 2023- Hikvision Hik-Connect 5 App / JWT Vulnerabilities Analyzed-IPVM discovered a critical vulnerability in the Hikvision Hik-Connect cloud that allowed unauthorized access to Hik-Connect user's accounts by simply listening on network traffic for logs sent unencrypted from the Hik-Connect app to the Hikvision cloud, Hikvision fixed but did not publically disclose the vulnerability.
• December 2022 - Hikvision vulnerability impacting 400,000 Hikvision and OEM devices online. This vulnerability is critical as it allows a remote user, unauthenticated, to obtain the device's admin username and password.
• September 2021 - Hikvision Highest Level Critical Vulnerability, Impacting 100+ Million Devices - 9.8 vulnerability that is the highest level of critical vulnerability, a zero-click unauthenticated remote code execution affecting over 100 million devices.
• February 2021 - Hikvision 100 Vulnerabilities In Firmware - Lithuania's Ministry of Defence decompiles Hikvision firmware, checked for known CVEs, finds over 100 vulnerabilities and Linux packages a decade old.
• August 2018 - Hikvision IP Camera Critical Vulnerability - Exploiting the vulnerability allows attacks to either take over the device or crash the camera.
• April 2018 - Hikvision Critical Cloud Vulnerability - just knowing the registered email/phone number can get admin access. Note this was resolved before the date of disclosure.
• November 2017 - Some Hikvision Wifi cameras attempt to connect to SSID "davinci" by default, allowing an attacker to setup a rogue access point with this SSID to gain access to camera for further exploit.
• August 2017 - Hikvision's algorithm for generating security codes to reset admin passwords is cracked, with tools released to enable easy code generation.
• August 2017 - iVMS-4200 has password recovery feature that divulges admin password encrypted with reversible method.
• March 2017 - A potential vulnerability was first reported in March 2017, and then verified in a US Department of Homeland Security release. Attackers can bypass authentication measures to get access to admin-level features in the web interface of affected Hikvision cameras.
• December 2016 - A security researcher found hik-online.com servers vulnerable to an XML External Entity (XXE) exploit. This vulnerability allowed the researcher to retrieve arbitrary files from the server, exposing users to the risk of having data on the public IP/port of their registered devices exposed. Further coverage available in our Hikvision cloud server vulnerability report.
• September 2014 - NVR's with firmware 2.2.10, and possibly other versions, contain a vulnerability that allows for a buffer overflow attack, enabling attackers to gain control of the device. This vulnerability was examined and described by research firm Rapid7. Hikvision
• August 2013 - Hikvision IP cameras with firmware v4.1.0 b130111, and possibly other versions, can be attacked to gain access to the admin account, bypass authentication entirely using hard-coded credentials, or to execute arbitrary code through a buffer overflow attack. Core security issued a report detailing these exploits.

Honeywell

• January 2020 - Honeywell Maxpro VMS & NVR Vulnerability - Attackers are able to remotely execute code and via SQL injection vulnerability an attacker can could gain unauthenticated access to the web user interface with admin rights.

LenelS2

• December 2022 - LenelS2 critical vulnerability, with a 9.8 CVSS score, impacting software solutions used by enterprises and governments globally. IPVM examines a critical vulnerability that enables an authentication bypass through a bug in RabbitMQ's implementation of the TLS protocol.

Lilin

• March 2020 - LILIN Vulnerabilities Used by DDoS Botnets - 3 Vulnerabilities: command injection vulnerabilities with NTUpdate, FTP, and NTP, hardcoded credentials, and arbitrary file reading vulnerability with LILIN DVRs.

Milesight

• November 2016 - Milesight camera firmware prior to ~November 2016 may contain a number of vulnerabilities including hard-coded credentials and the ability to execute admin commands via unauthenticated CGI calls, making the cameras highly vulnerable to attacks.

NeoCoolCam

• August 2017 - HTTP and RTSP service are vulnerable to multiple forms of buffer overflow attacks. Devices use uPNP to open ports in firewall, making them exposed by default in many installs. ~170K units impacted. Full details in Bitdefender whitepaper on NeoCoolCam vulnerability.

Netgear

• August 2019 - Several vulnerabilities in the RealTek SDK including stack overflows which accommodate remote code execution, and in the proof of concept, bashis is able to add and delete admin level access to credentials. See: Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More

Network Optix

• September 2023 - Network Optix Nx Witness Cloud, High-Security Vulnerability 2023-PVM discovered a critical vulnerability in Network Optix Nx Witness that allowed attackers to impersonate a legitimate VMS server and expose user credentials, Network Optix disclosure available here.

Nuuo

• October 2016 - Nuuo NT-4040 Titan firmware version NT-4040_01.07.0000.0015_1120, contains default credentials of admin:admin, and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device. Further information can be found in CERT Vulnerability Listing for this issue.
• August 2016 - Multiple devices, including the NVRmini, NVRmini2, Crystal, Titan and NVRSolo with firmware prior to 3.0.8 have multiple vulnerabilities that allow for remote code execution, remote root exploit, remote file deletion, and other attacks. Exploits are listed on ExploitDB under multiple IDs, including: 40200, 40209, 40210, 40211, 40212, 40213, 40214, 40215. Each of these represents a critical vulnerability that is easy for an attacker to execute against the device.

Pelco

• July 2016 - Digital Sentry products running firmware prior to 7.13.84 contained a hard-coded admin account that could be used to take full control of the device by a remote attacker. IPVM covered this vulnerability when it was made public, and CERT also contains additional details.

Raysharp

• February 2016 - Raysharp DVR's sold under various brands has firmware with multiple exploits, including ability to bypass authentication and get telent access. Details can be found on the researchers blog.

Sony

• July 2018 - Sony Talos 2018 Vulnerabilities - Allows commands to be executed without Admin credentials, however attacker needs to know what commands to execute so it is more complex than some other, simpler vulnerabilities.
• December 2016 - Attackers can remotely enable telnet on Gen 5 and Gen 6 cameras with firmware prior to 1.86.00 and 2.7.2 respectively, enabling them to potentially login as root. Additional details in our coverage of this exploit.

Siemens

• November 2016 - Specially crafted URLs allow an attacker to gain admin-level privileges on affected cameras. List of affected cameras and recommended firmware versions to resolve this issue are provided by Siemens.

TBK (OEM Night Owl, Q-See, And More)

• April 2018 - TBK (and OEMs) Vulnerability Provides Clear Text Credentials - a curl / http command provides the admin credentials of affected DVRs in plain text.

Turing

• November 2023- Turing Edge+ Cloud Cameras, Critical Security Vulnerability 2023- IPVM discovered a critical severity vulnerability in Turing's Edge+ cloud cameras, allowing cloud communications to be intercepted, CVE-2023-42425

TVT

• April 2018 - TVT Backdoor, Hardcoded authentication to download remote system configuration - including login and password in clear text
• March 2016 - Specially crafted URLs can be used to cause the recorders manufactured by TVT to execute arbitrary commands. At least 79 distinct brands OEM'd these units, including well-known brands like ADI and Q-See. Rotem Kerner documented the exploit on his site, and also provided IPVM with additional details on how he crafted the exploit.

Ubiquiti

• March 2021 - Ubiquiti 'Catastophic' Data Breach - Unauthorized access of some of their systems hosted by a "third-party cloud provider" (Amazon Web Services).
• March 2017 - A command injection vulnerability was reported in firmware prior to AirOS 8.0.1. Relatively low risk of exploit, but could enable severe holes in network, such as reverse shells, if properly executed.

Uniview

• December 2021-Uniview CVE-2021-45039 8.9 Vulnerability Analyzed- Uniview released a security notice for a buffer overflow vulnerability in UDP port 7788 with a CVSS score of 8.9.
• October 2017 - Admin password hash can be retrieved from Uniview recorders, and then used to login as admin, allowing full access. Details covered in Uniview Recorder Backdoor Examined.

Verkada

• March 2021 - Verkada Mass Hack - Hackers were able to get root / admin access on all ~150,000 cameras and were able to pivot to other systems on customers' networks.

Vivotek

• November 2017 - Potential for stack overflow, likely resulting in denial of service, via malformed URL calls. Details in Vivotek Remote Stack Overflow Vulnerability.
• July 2017 - CGI scripts on Vivotek cameras can be used to access files and run commands as root. Additional coverage: Wrongly Accused Critical Vulnerability for Vivotek
• November 2013 - Firmware 0105a, 0105b, and possibly other versions, are susceptible to having RTSP authentication bypassed, allowing video streams to be viewed without authentication. Firmware after 0301c should not be affected. Additional information from Core security: Vivotek RTSP auth bypass.

Wansview (AJ Cloud)

• May 2023- Massive Leak Found For AJCloud-IPVM discovered a cybersecurity leak in gitlab.ajcloud.net, allowing an attacker to gain unauthenticated access to server source code, RSA private keys, certificates, AWS/Alicloud secret keys, and SMTP usernames/passwords. Technical details available in Amazon's Top Selling IP Camera Wansview - Cyber Security Tested.

Wyze

• June 2021 - Mass P2P Video Surveillance Vulnerability Impacts Millions (ThroughTek) - The vulnerability allows attackers to remotely access video and audio over the Internet, from a ThroughTek-powered NVR or camera, including Wyze.
• December 2019 - Wyze Massive Data Leak - Millions of users' account data was exposed publicly including email addresses, usernames, WiFi SSIDs, and more.

XiongMai

• February 2020 - Chinese NVR/DVR Vulnerability - Huawei (HiSilicon) backdoor uses a combination of port knocking to open enable telnet along with hardcoded root credentials.
• December 2017 - Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks
• October 2016 - Xiongmai firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which targeted Dahua and Xiongmai devices, and took down internet sites and service providers in October 2016. Due to Xiongmai being primarily an OEM component supplier, many affected products were sold under alternate brands.

Beware Of OEMs / Relabeling

Firmware and software vulnerabilities often affect other brands manufactured by companies listed in this directory, since OEM'd equipment typically has the same fundamental software. For example, Dahua camera vulnerabilities will be present in Amcrest branded cameras that are manufactured with the same or similar firmware.

An example of this is the Dahua Wiretapping Vulnerability, which was originally discovered in Amcrest cameras or the Hikvision Backdoor, which affected LTS, W-Box, and others.

To find out which brands might be affected, see our OEM directories:

• Dahua OEM Directory
• Hikvision OEM Directory
• Uniview OEM Directory
• TVT OEM Discussion & List of 79 DVR OEMs

Vulnerability Discovery and Disclosure

Who discovers and discloses each vulnerability varies from manufacturer to manufacturer and incident to incident.

It is common for a researcher to discover a vulnerability within firmware and present that finding to the manufacturer. Typically, manufacturers are given a period of time to correct the vulnerability before the hacker publishes details or proof of concept. Researchers provide the manufacturer with time to correct the vulnerable software before publishing details, such as a proof of concept exploit, though many are published after non-response by manufacturers.

Less commonly, manufacturers discover and disclose vulnerabilities during their own internal testing. For example, Axis' most recent vulnerability was self-discovered and disclosed on their product security page.

2020-07-31 An internal software security audit discovered a flaw in the protection against device tampering (known as Secure Boot) in AXIS W800 and AXIS S3008. Read the Axis Security Advisory for more information.

However, this is less common than third-party disclosures.

• Genetec Self-discloses vulnerability
• Milestone Self-Discloses Mobile Password Vulnerability

Other Vulnerabilities

This directory is intended to cover major vulnerabilities over the past several years, but is not exhaustive. If you feel we are missing an exploit, send us an email or securely send us a tip.