Industry
When Your Camera Manufacturer Becomes Your Vulnerability
On February 28, 2026, Check Point Research observed Iran-nexus actors begin a coordinated exploitation campaign against Hikvision and Dahua cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon. Five CVEs, all with patches available, hundreds of attempts per Check Point's threat intelligence group manager Sergey Shykevich.
A week later, on March 5, CISA added CVE-2017-7921, a Hikvision authentication bypass with a CVSS of 9.8, to its Known Exploited Vulnerabilities catalog. The vulnerability was disclosed in 2017. Federal agencies had until March 26 to remediate.
In June 2025, during the Israel-Iran conflict, Iran reportedly compromised a street camera facing the Weizmann Institute of Science before launching a ballistic missile strike on the building. The same actor categories previously targeted programmable logic controllers in US drinking water and wastewater facilities. Compromised cameras are reconnaissance, persistence, and battle damage assessment infrastructure. The supply chain that produced your IP cameras is the question of whether your physical security becomes someone else's reconnaissance platform.
An IP Camera Is a Computer on Your Network
A modern IP camera runs embedded Linux, exposes HTTP/HTTPS admin interfaces, ONVIF, RTSP, and often telnet or SSH on internal ports. When compromised, the attacker does not just get the video feed. They get a foothold inside the network the camera was meant to protect.
Per the Wavestore 2026 State of Video Network Cybersecurity Report, IP cameras and edge devices function as primary entry vectors for lateral movement into IT, OT, and ICS environments. Zero-day exploitation targeting IoT devices increased 46 percent in recent reporting periods. Buyers who treat surveillance as physical-security infrastructure rather than IT infrastructure are buying for the wrong threat model.
What the 2025 to 2026 CVE Record Actually Shows
Across multiple manufacturers, multiple chipset families, and active exploitation in the wild:
| Date | Vendor / CVE | Severity | Exposure | Source |
|---|---|---|---|---|
| Jul 2025 | Dahua: CVE-2025-31700, CVE-2025-31701 | CVSS 8.1 each | Unauthenticated RCE granting root access without user interaction. Bypasses firmware integrity checks. Affects Hero C1, IPC-1XXX/2XXX/WX/ECXX, and SD series with firmware older than April 16, 2025 | Bitdefender IoT Research Team |
| Jan 2026 | TP-Link VIGI: CVE-2026-0629 | CVSS 8.7 | More than 32 VIGI C and VIGI InSight models. Authentication bypass exploitable from same network without admin credentials, enabling complete admin takeover. 2,500+ exposed cameras as of October 2025 | SecurityWeek |
| Mar 2026 | Hikvision: CVE-2017-7921 added to CISA KEV | CVSS 9.8 | A 2017 authentication bypass added to KEV in 2026 because enough cameras remained unpatched and exposed nine years later. KEV addition requires observed exploitation in the wild | CISA |
| Feb-Mar 2026 | Iran-nexus campaign: 5 CVEs across Hikvision and Dahua | Multiple | Hikvision: CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067. Dahua: CVE-2021-33044. All five had patches available. Infrastructure: Mullvad, ProtonVPN, Surfshark, NordVPN exit nodes plus VPS | Check Point Research |
TP-Link is not a Chinese company in the way Hikvision and Dahua are. Buyers who chose TP-Link to avoid the geopolitics still got a critical CVSS on a fleet of devices.
The Supply Chain Layer Most Buyers Never See
CVE advisories name the brand on the box. The risk often lives one or two layers down, in the system-on-chip, the firmware base, or the OEM rebrand history.
The chipset layer. Huawei's HiSilicon subsidiary, with the Hi3516, Hi3518, and Hi3520 families, has powered tens of millions of IP cameras worldwide. The chipset provides the SoC, the Linux base image, and core software components, so a vulnerability in HiSilicon firmware reaches every brand built on that SoC regardless of badge. Per IPVM teardown reporting:
| Brand | OEM relationship | SoC family |
|---|---|---|
| Honeywell (select cameras) | OEMed from Dahua | HiSilicon |
| Hanwha L-series (low-cost) | Direct | HiSilicon |
| Uniview | Huawei spinout | HiSilicon (default) |
| LTS | OEMed from Hikvision | Per Hikvision parent build |
| ADI W-Box (historical) | OEMed from Hikvision | Per Hikvision parent build |
NDAA Section 889 implementation guidance treats HiSilicon presence as disqualifying for federal procurement, recognizing the chipset as the supply chain element rather than the brand.
The OEM rebrand reality. The IPVM Hikvision OEM Directory documents more than 50 active brands shipping Hikvision-OEMed product under their own labels, with another 60-plus that dropped Hikvision in recent years. A buyer who specifies "no Hikvision" but accepts an LTS bid has the risk profile they tried to avoid. The CVE that hits the parent vendor hits every rebrand under it.
The firmware origin question. Most camera firmware ships as opaque binary blobs. The buyer cannot inspect what is in it, cannot reproduce the build, and cannot verify the toolchain. Per CISA's 2025 SBOM Minimum Elements draft and the DoD Golden Dome for America memo (July 2025), Software, Firmware, and Hardware Bills of Materials are now named procurement requirements for sensitive systems. Vendors who cannot provide these are operating below the emerging federal standard.
How Iron Gate's Supply Chain Closes the Gap
Every Iron Gate system is designed, engineered, assembled, and tested at Iron Gate's Holly Hill, Florida facility. No contract assembly. No ODM rebrand. Full domestic supply chain documentation supports Buy American Act (41 USC 8301-8305) and Executive Order 14017 procurement requirements. Per the government solutions page: no foreign-manufactured components in critical systems. The qualifier "in critical systems" is the engineering position. The camera SoC, the firmware, and the network stack are critical-system components.
AI threat detection is developed in compliance with ISO/IEC 42001. Senior leadership brings 28 years of federal law enforcement experience across ICE, US Border Patrol, and FLETC instructor roles. The team holds 11 patents in security technology, on-premise data storage, and hardware. On-premise architecture removes the cloud-provider attack surface. Cellular and solar connectivity options remove dependence on facility IT during incidents.
When a CISA KEV addition or a 2 a.m. CVE drops, the vendor's supply chain determines whether the fleet can be patched in days, weeks, or never. The vendor who cannot tell you what is inside the firmware cannot tell you when you are exposed.
Three Hidden Supply Chain Risks Most Buyers Miss
The unpatched-fleet problem. When a vendor stops shipping firmware updates, whether end-of-life, market exit, or sanctions, the buyer is left with a fleet that cannot be patched. CVE-2017-7921 was disclosed in 2017 and added to CISA KEV in 2026 because enough Hikvision cameras were still unpatched and exposed nine years later.
The white-label visibility gap. Procurement controls that name a manufacturer do not stop a rebrand. A buyer who specifies "no Hikvision" but accepts a generic security-distributor brand or a private-label that turns out to be Hikvision-OEMed has the risk profile they tried to avoid.
The chipset-vulnerability blast radius. Vulnerabilities in widely deployed SoCs reach every product family that ships them. A HiSilicon vulnerability touches Honeywell-OEMed, Hanwha-OEMed, Uniview, and dozens of low-cost rebrands simultaneously. Buyers who diversified across brands without diversifying across chipsets did not actually diversify their supply chain risk.
How to Evaluate a Camera Vendor's Supply Chain Posture
A six-question checklist for an RFP or vendor review.
- Where is the camera physically manufactured, and is the manufacturer the brand or a contract assembler? The brand on the box is not always the manufacturer.
- What system-on-chip does each model use, and where is the SoC manufactured? SoCs propagate vulnerabilities across product families.
- Where does the firmware originate, and is the build reproducible? Opaque binary firmware from a vendor who cannot say what is in it is a black box.
- Will the manufacturer provide an SBOM, FBOM, and HBOM? CISA's 2025 SBOM Minimum Elements draft and the DoD Golden Dome memo name these as procurement requirements for sensitive systems.
- What is the firmware patch cadence and the SLA from CVE disclosure to patch? A vendor that takes 90 days to patch a CVSS 8+ flaw leaves the fleet exposed the full window. Get the SLA in the contract.
- If the vendor exits the market or is sanctioned, what is the buyer's path to continued patches? Source code escrow, third-party patching, or domestic-manufacturer commitments are the options. Replacement on a critical fleet is measured in months.
Iron Gate's Position
Holly Hill, Florida manufacturing. Domestic supply chain documentation. No foreign-manufactured components in critical systems.
When a CVE drops, exposure is determined by the vendor's supply chain. To talk through what that looks like for a specific deployment, see Iron Gate's SecMods perimeter security platform, call 904-896-5618, or book a security assessment.
Common Questions
Why are IP cameras a cybersecurity risk?
An IP camera is a Linux computer with a network interface. Compromise of the camera grants the attacker a foothold on the network the camera was meant to protect, not just access to video. Compromised cameras have been used for botnet recruitment, lateral movement, and persistence in IT, OT, and ICS environments.
What is a HiSilicon chip and why does it matter for camera security?
HiSilicon is a Huawei subsidiary that produces the system-on-chip in tens of millions of IP cameras across many brands, often in low-cost product lines. The SoC provides the core hardware and the Linux base. A vulnerability in HiSilicon firmware reaches every camera built on that SoC regardless of badge. NDAA Section 889 implementation guidance treats HiSilicon presence as disqualifying for federal procurement.
Is buying a non-Chinese brand enough to avoid supply chain risk?
Not necessarily. OEM rebrands and chipset-level dependencies mean a Western-branded camera can still ship with Chinese silicon and Chinese-derived firmware. IPVM has documented Honeywell-branded cameras OEMed from Dahua and Hanwha L-series cameras using HiSilicon chips. Due diligence has to reach the manufacturer, the SoC, and the firmware origin, not just the brand.
What is an SBOM, FBOM, or HBOM?
Software Bill of Materials, Firmware Bill of Materials, and Hardware Bill of Materials. Inventories of the components, dependencies, and origins of the software, firmware, and hardware in a product. CISA's 2025 SBOM Minimum Elements draft and the DoD Golden Dome memo name these as procurement requirements for sensitive systems.
Why did CISA add CVE-2017-7921 to its Known Exploited Vulnerabilities catalog nine years after disclosure?
Because enough Hikvision cameras with the original 2017 authentication bypass remained unpatched and exposed to be actively exploited in early 2026. CISA confirms exploitation in the wild before adding a CVE to KEV. The addition is a signal about the installed base, not the original advisory.
Ready to Talk Security?
Our engineering team can walk you through the right solution for your environment.
Book a Security Assessment