Legacy Hikvision camera vulnerability resurfaces in active exploits

On September 24, 2025, researchers at SANS Internet Storm Center observed a renewed wave of exploit attempts targeting Hikvision IP cameras and digital video recorders (DVRs) running outdated firmware using brute-force tactics against weak or default passwords. 

A previously reported vulnerability, tracked as CVE-2017-7921, was noted being used in the exploit attempts. The flaw stems from improper authentication handling in device management interfaces, allowing privilege escalation and unauthorized access. Despite firmware patches released by Hikvision, many devices remain unpatched and exposed to the internet, often due to rebranding by third-party vendors or limited user awareness.  It was patched in June 2017 and assigned a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.

Threat actors are leveraging this flaw to extract configuration files, user credentials, and snapshots from exposed devices. Logs from honeypots showed thousands of exploit attempts, such as /System/configurationFile and /Security/users, targeting endpoints.

In 2022, researchers reported that the Go-based malware Zerobot had abused CVE-2017-7921 to compromise Internet of Things (IoT) devices. Once compromised, cameras can be used for lateral movement, data exfiltration, or as nodes in distributed denial-of-service (DDoS) attacks.

In June 2025, we also reported on the Canadian government’s order for Hikvision Canada to cease operations over national security concerns.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

The continued exploitation of CVE-2017-7921 highlights the inherent risk of deploying internet-facing surveillance technologies with a history of critical vulnerabilities. Hikvision IP cameras and DVRs, particularly those running outdated firmware or rebranded by third-party vendors, are frequently targeted.

Organizations are advised to conduct a full inventory of deployed surveillance equipment and identify any Hikvision-branded or OEM variants. If such devices are found, isolate them from public networks, restrict access via firewall rules, and disable remote administration features.

Replace default credentials with complex, alphanumeric passwords and monitor for suspicious access patterns, especially requests containing “auth=” parameters. Apply the latest firmware updates directly from Hikvision, if available, and enforce encrypted communication using HTTPS with token-based authentication.