A Cyfirma report found more than 80,000 cameras in more than 100 countries online, with ports open and no protection against CVE-2021-36260, a command-injection vulnerability exploitable by anyone with HTTP access to TCP ports 80 or 443 of an affected camera.
The security bug has a CVSS score of 9.8 of 10 in severity, which is the security equivalent of an invading army in your capital being only several streets away from Parliament while your government is on board a submarine looking for a neutral country.
The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug it to its list of "must patch" security flaws early this year, adding that the vulnerability is already being exploited.
In a report last December, researchers at Fortinet said that the Hikvision vulnerability was being targeted by "numerous payloads," including variants of the Mirai botnet.
Cyfirma's said it also discovered multiple instances of criminals collaborating online to exploit the Hikvision vulnerability. "We have reasons to believe that Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices," Cyfirma said.
The most affected devices are located, are in China, followed by the US, Vietnam, the UK, and Ukraine.
"Open vulnerabilities and ports in such devices will only compound the impact on targeted organizations and their countries economic and state prowess. It is paramount to patch the vulnerable software of the Hikvision camera products to the latest version," Cyfirma said.