A new open-source tool, known as HikvisionExploiter, was recently updated. This tool is designed to automate cyberattacks against vulnerable Hikvision IP cameras .
Designed to facilitate penetration testing operations, this tool highlights how unprotected devices can be easily compromised, thus facilitating surveillance interception or the theft of login information.
The toolkit supports multithreaded scanning of thousands of targets specified in an easy-to-read targets.txt file, which logs the results in time-stamped and color-coded directories for easy analysis.
It runs a series of automated tests, starting with checking for unauthenticated access to obtain real-time information. It then decrypts and recovers configuration files using AES and XOR methods, extracting sensitive information such as usernames, authorization levels, and other data from the XML outputs.
It was originally published on GitHub in mid-2024, but was updated following the recent wave of exploits targeting cameras in 2025. The Python-based tool targets unauthenticated endpoints found in cameras running outdated firmware.
For comprehensive network defense testing, advanced features are included that allow remote command execution by exploiting specific vulnerabilities using command injection techniques, along with an interactive shell for more detailed analysis. Python 3.6 or higher is required, as well as external libraries such as requests and pycrypto. FFmpeg is also required for the video snapshot compilation feature.
At the heart of the toolkit is CVE-2021-36260, a critical command injection flaw in Hikvision’s web server that allows unauthenticated attackers to execute arbitrary operating system commands. The bug was discovered in 2021. The vulnerability stems from inadequate input validation in endpoints such as /SDK/webLanguage, allowing remote code execution with elevated privileges.
It affects several Hikvision camera models, particularly the DS-2CD and DS-2DF series, which use firmware versions older than the vendor’s patches. This flaw has been actively exploited since 2021, and CISA has added it to its KEV catalog of known vulnerabilities exploited in real-world attacks.
In 2025, researchers noted new abuse techniques, such as using the “mount” command to install malware on compromised devices. With thousands of Hikvision cameras still exposed online, attackers can steal snapshots, user data, or resort to network breaches, fueling ransomware or DDoS operations.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
