Cybercriminals Are Selling Access to Chinese Surveillance Cameras
A silent security crisis is unfolding across corporate offices, government buildings, hospitals, and warehouses around the world. Tens of thousands of Chinese-manufactured surveillance cameras remain critically vulnerable to a known exploit — one that was identified and publicly disclosed nearly a year ago. Rather than scrambling to patch the flaw, many organizations have simply done nothing, and cybercriminals have taken full advantage. Threat actors are now actively selling unauthorized access to these cameras on dark web marketplaces, turning overlooked firmware updates into a thriving underground economy.
The Vulnerability: An 11-Month-Old CVE Still Left Unpatched
At the heart of this crisis is a critical Common Vulnerabilities and Exposures (CVE) entry that was publicly disclosed nearly a year ago. Despite being well-documented in cybersecurity circles and accompanied by an available patch from the manufacturer, the vast majority of affected devices have never been updated. This is not a zero-day exploit — it is an old, well-understood vulnerability with a known fix — and yet it remains actively exploitable across tens of thousands of live camera systems.
Critical CVEs of this nature typically receive a high severity score on the CVSS (Common Vulnerability Scoring System) scale, meaning they represent a direct, low-complexity threat that requires little skill to exploit. In the wrong hands, such a vulnerability can allow an attacker to take full control of a camera's feed, use the device as a pivot point into a broader corporate network, or quietly exfiltrate sensitive footage without triggering a single alarm.
The cameras in question are manufactured by vendors based in China — brands that have become ubiquitous in enterprise and public-sector deployments across North America, Europe, and beyond due to their low cost and feature-rich hardware. Their widespread adoption means that a single unpatched CVE can have an extraordinarily broad blast radius.
How Cybercriminals Are Monetizing the Exploit
Researchers tracking dark web forums and cybercriminal marketplaces have found listings in which threat actors openly advertise access to compromised surveillance cameras. These listings often include the geographic location of the camera, the type of facility it monitors — whether a factory floor, a retail store, or a government office — and in some cases, sample screenshots to prove access is genuine.
The business model is straightforward and deeply troubling. Buyers can purchase persistent access to individual cameras or batches of devices for relatively small sums. Once inside, a malicious actor can:
- Monitor live and recorded footage for corporate espionage, physical security reconnaissance, or blackmail purposes.
- Use compromised cameras as a foothold to move laterally into the organization's broader IT infrastructure, targeting servers, workstations, and sensitive data repositories.
- Recruit devices into botnets to conduct distributed denial-of-service (DDoS) attacks against third-party targets, obscuring the true origin of the attack.
- Sell access repeatedly to multiple buyers, maximizing revenue from a single compromised device.
The scale of the problem is not theoretical. Security researchers have identified thousands of organizations across multiple industries that are currently running vulnerable camera firmware, many of them entirely unaware that their physical security infrastructure has been turned against them.
Why So Many Organizations Remain Exposed
The persistence of this vulnerability raises an uncomfortable question: why haven't organizations patched it? The answer lies in a combination of institutional blind spots, fragmented IT responsibility, and the unique nature of IoT device management.
Surveillance cameras occupy an awkward space in most organizations' security architecture. They are often procured and managed by physical security or facilities teams rather than IT or cybersecurity departments, meaning they fall outside the scope of standard patch management processes. Many organizations do not even maintain a complete inventory of their connected cameras, let alone track firmware versions or monitor vendor security advisories.
Additionally, updating the firmware on large fleets of cameras can be technically complex and operationally disruptive. Cameras may be installed in hard-to-reach locations, run on isolated network segments, or require manual intervention for updates. For organizations managing hundreds or thousands of devices, the logistics can seem daunting — and so the patch gets deprioritized indefinitely.
This is precisely the gap that cybercriminals exploit. They rely not on sophisticated zero-day research but on patience and automation, using scanning tools to identify unpatched devices at scale and then monetizing access with minimal effort.
The Broader Implications for Enterprise and National Security
The issue extends beyond individual organizations. Chinese-manufactured surveillance equipment has already drawn scrutiny from lawmakers in the United States and Europe over concerns about potential state-affiliated data access. The presence of exploitable vulnerabilities in these devices — regardless of whether state actors are involved — amplifies those concerns significantly. A compromised camera inside a defense contractor's facility, a financial institution, or a critical infrastructure operator represents a national security risk, not just an IT inconvenience.
Regulatory bodies are beginning to take notice. Recent legislation in several countries has moved to restrict or ban certain Chinese camera brands from government installations, but millions of devices already deployed in the private sector remain in operation with little oversight.
What Organizations Must Do Right Now
The good news is that the technical remediation is straightforward. The patch exists. The challenge is execution. Security teams and organizational leadership should treat this as an urgent priority and take the following steps immediately:
- Conduct a full IoT asset inventory. Identify every networked camera in your environment, including make, model, and current firmware version. Shadow devices and unmanaged endpoints are a common source of exposure.
- Check vendor advisories and apply available patches. Consult the manufacturer's security bulletins and apply the latest firmware to all affected devices without delay. If automatic updates are supported, enable them.
- Segment camera networks. Place surveillance cameras on isolated VLANs with strict firewall rules that prevent lateral movement into core business systems. A compromised camera should never be a gateway to your Active Directory.
- Monitor for anomalous traffic. Use network detection and response (NDR) tools to flag unusual outbound connections from camera systems, which may indicate compromise or data exfiltration.
- Establish an IoT patch management policy. Formalize the process for tracking and updating all connected devices, ensuring that cameras, access control systems, and other physical security hardware fall within the scope of your broader vulnerability management program.
- Consider replacing end-of-life devices. If a camera model no longer receives firmware updates from its manufacturer, it should be treated as a liability and scheduled for replacement with a model that receives active security support.
The Cost of Inaction
Every day that passes without patching is another day that threat actors can sell access to your infrastructure. The reputational, financial, and legal consequences of a breach originating from an unpatched surveillance camera — a device installed specifically to protect the organization — would be severe. Regulators, insurers, and customers are all paying closer attention to IoT security posture than ever before.
The cybercriminals exploiting this vulnerability are not sophisticated nation-state actors wielding exotic tools. They are opportunists armed with scanners and patience, counting on organizations to keep making the same mistake: assuming that physical security devices exist outside the realm of cyber risk. That assumption has never been more dangerous.
Patch your cameras. Audit your network. And treat every connected device — regardless of who manages it — as a potential entry point into your most sensitive systems. In today's threat landscape, a surveillance camera is not just hardware on a wall. It is an endpoint, and it deserves to be secured like one.