The cybersecurity community is sounding alarms as evidence mounts of threat actors leveraging a long-standing Hikvision camera vulnerability to harvest sensitive data.
Over the past week, multiple organizations operating honeypots have logged repeated HTTP requests targeting the /System/deviceInfo endpoint with a familiar but worrying payload: an “auth” parameter set to a Base64-encoded credential string.
The decoded value, “admin:11,” hints at a brute-force technique exploiting weak default or user-configured passwords, potentially granting intruders unfettered access to critical device information.
Rising Exploitation of Base64 Credentials
Analysis of honeypot logs reveals that the path has been probed with increasing frequency since early September.
While earlier attention focused on the request, recorded over 6,700 times between August 2018 and September 23, 2025, this particular device info endpoint only recently surpassed reporting thresholds.
Security professionals now report over 2,000 instances of the query in aggregated logs, underscoring an uptick in malicious interest.
Attackers are likely exploiting hard-coded or default credentials, bypassing authentication to retrieve configuration settings, network details, and even camera logs.
This stealthy approach can facilitate lateral movement within compromised networks, as adversaries map out connected devices and sensitive surveillance data.
Historical Vulnerabilities and Persistent Threats
The method echoes the privilege escalation vulnerability tracked as CVE-2017-7921, originally disclosed in 2017.
Hikvision’s advisory described the flaw with minimal detail, advising only that certain camera models contained a “backdoor” account enabling elevated privileges.
Although the advisory stopped short of specifying affected URLs, security researchers have since cataloged multiple endpoints susceptible to the “auth” parameter technique.
Beyond, other commonly targeted paths include /Security/users and /onvif-http/snapshot, the latter yielding live image data when successfully exploited.
Weak default passwords, such as the simplistic “11,” uncovered in the recent log compound the risk, as many users struggle to set robust credentials through camera DVR interfaces that often limit input to an on-screen numeric keyboard.
Security Implications and Recommendations
Embedding credentials in URLs is inherently insecure, as they can be logged in plaintext by servers, proxies, and client applications.
Despite this, many device management tools and dashboards continue to rely on URL-based authentication for convenience.
To mitigate this threat, organizations should immediately audit deployed Hikvision and similar IP camera systems.
Administrators must enforce strong, complex passwords and disable any legacy or undocumented service accounts.
Firmware updates released by the vendor should be applied without delay to address known backdoor credentials.
Network segmentation and strict firewall rules can further limit unauthorized access; isolating camera management interfaces from general LAN traffic reduces the attack surface.
Finally, monitoring web server logs for repeated “auth” parameter usage can serve as an early warning of brute-force attempts.
As threat actors refine their tactics, the exploitation of embedded camera vulnerabilities remains a critical concern for enterprises and critical infrastructure operators alike.
Proactive security hygiene and vigilant monitoring are essential to prevent adversaries from turning overlooked surveillance devices into gateways for broader network compromise.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The cybersecurity community is sounding alarms as evidence mounts of threat actors leveraging a long-standing Hikvision camera vulnerability to harvest sensitive data.){kind=link}