80,000 Hikvision Security Cameras Left Wide Open — and Criminals Are Selling the Keys
A critical flaw in one of the world's most popular surveillance cameras has sat unpatched for nearly a year on tens of thousands of devices. Now hackers are trading access on underground forums.

Key points
- More than 80,000 Hikvision surveillance cameras worldwide remained unpatched as of mid-2022 against a flaw first disclosed in autumn 2021.
- The flaw, CVE-2021-36260, scored 9.8 out of 10 on the standard severity scale — meaning it is about as dangerous as vulnerabilities get.
- CVE-2021-36260 is a command injection flaw — a bug that lets an outside attacker send hidden instructions to a camera and take full control of it without a password.
- Stolen login credentials for vulnerable cameras have appeared for sale on Russian dark-web forums.
- Hikvision is a Chinese state-owned company; the U.S. Federal Communications Commission designated it an unacceptable national-security risk in 2019.
Hikvision — full name Hangzhou Hikvision Digital Technology — makes surveillance cameras used in offices, hospitals, schools, and public spaces across more than 100 countries. It is owned by the Chinese government. Despite the FCC flagging it as a national-security risk three years ago, its hardware is still common in the United States and beyond.
Last autumn, security researchers published details of CVE-2021-36260, a command injection flaw in Hikvision cameras. A command injection flaw means an attacker can send a specially crafted message to the device over the internet and force it to obey their instructions — no username, no password required. The U.S. National Institute of Standards and Technology rated it 9.8 out of 10 for severity. Hikvision released a patch, a software fix, shortly after.
Nearly a year later, more than 80,000 cameras have never received that fix.
Why are so many cameras still vulnerable?
Patching a camera is simply harder than updating an app on your phone. Your phone nags you, then often installs updates on its own. Internet-connected cameras — a category called IoT devices, meaning "Internet of Things" gadgets that connect everyday objects to the web — rarely do either. Owners must manually download and apply firmware updates, and many never hear that an update exists.
Paul Bischoff of consumer-research firm Comparitech put it plainly: IoT devices usually give users no sign that anything is wrong. The device keeps showing a picture; nothing looks broken.
Hikvision's own security culture hasn't helped. David Maynor, senior director of threat intelligence at cybersecurity-training firm Cybrary, told Threatpost that Hikvision products have long carried easy-to-exploit flaws and that, critically, many cameras ship with the same default passwords — standard, publicly known login codes that are set at the factory. A large number of owners never change them. That means attackers who know the model can simply try the factory password and walk straight in.
Criminals don't have to hunt for these cameras manually. Search engines like Shodan index internet-connected devices the way Google indexes websites, making it straightforward to find every exposed Hikvision camera on the public internet.
Researchers have now found posts on Russian dark-web forums — hidden online marketplaces used by criminals — where people are actively trading stolen credentials for vulnerable cameras and discussing how to exploit them at scale. Hacking groups linked to both Chinese and Russian state interests are considered likely to be interested.
If your workplace uses Hikvision cameras, ask whoever manages your IT or building security whether the firmware has been updated and whether default passwords have been changed. Those two steps close the most obvious doors.



