Chinese Surveillance Camera Flaw Exposes Thousands to Hackers

Cybercriminals are now hawking root access to tens of thousands of unpatched Chinese‑made surveillance cameras, a market that has surged after the disclosure of a critical remote‑code‑execution flaw in Hikvision’s firmware. The vulnerability, catalogued as CVE‑2023‑44715, was patched by the vendor in March 2023, but a scan conducted by Recorded Future in early 2024 still identified more than 45 000 devices running the vulnerable CGI binary on port 8080, exposing corporate, healthcare and government networks worldwide.

A post on the Dark0De forum, under the alias “MaverickVault,” advertises ready‑made exploits for $150‑$300 per camera. The exploit leverages a stack overflow in the login_verify function of the /cgi‑bin/login endpoint, allowing an unauthenticated attacker to inject a shell‑code payload via a specially‑crafted 512‑byte HTTP POST request. Security researchers who examined the listing confirmed that the binary payload can be deployed in under three minutes, giving buyers full control of the video feed and a pivot point into the broader network.

The fallout from compromised cameras is already evident. In November 2023, the BlackCat ransomware gang used a camera foothold at a U.S. outpatient clinic to deploy ransomware, encrypting patient records and disrupting services for several days. Privacy advocates warn that live feeds from schools, hospitals and public‑space installations could be harvested for espionage or blackmail, amplifying the risk beyond data loss.

Organizations still running Hikvision firmware prior to v5.4.1 are urged to apply the latest firmware immediately, disable default HTTP/RTSP ports, replace default credentials with strong, unique passwords, and isolate camera subnets behind firewalls. Security teams should also deploy intrusion‑detection signatures for CVE‑2023‑44715, monitor for abnormal RTSP traffic on port 554, and consider employing automated patch‑management solutions to prevent future drift.