Threat actors are still targeting CCTV cameras made by Chinese state-owned manufacturer and supplier of video surveillance equipment Hikvision vulnerable to an easily exploitable command injection flaw disclosed back in 2021, a new report from CYFIRMA reveals.

Tracked as CVE-2021-36260, the flaw allows a remote attacker to execute arbitrary shell commands on the target system. An attacker could carry out a command injection attack by sending some messages with malicious commands due to insufficient input validation. Hikvision fixed the vulnerability in September 2021 via a firmware update.

CYFIRMA researchers said they observed multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using CVE-2021-36260 globally. They also found leaked credentials of Hikvision camera products available for sale on various Russian forums, which hackers could use to gain access to the devices and an organization’s environment.

According to the report, out of 285,000 internet-facing Hikvision web servers analyzed more than 80,000 were found to be vulnerable. The majority of the vulnerable devices are located in China, the US, Vietnam, the UK, Ukraine, and Thailand.

"Every hacker group could potentially exploit vulnerabilities in these devices, although any specific cybercriminal group exploiting these cannot be isolated at this stage," the cybersecurity firm said, adding that they have a reason to believe that Chinese threat actors, such as APT41 and APT10 and affiliates, as well as an unnamed Russian hacker groups could potentially use vulnerable devices to their advantage (which may include specific geo-political considerations).