A single decade-old vulnerability has turned thousands of internet-connected surveillance cameras into a massive attack surface across the UK.
New research shows that more than 67 million cyberattack attempts targeted Hikvision cameras on UK networks in a single year — all stemming from a long-patched but still widely exposed flaw.
The findings highlight a growing problem in cybersecurity: forgotten devices never stop being exploited.
A Decade-Old Bug Still Driving Modern Attacks
The data comes from a global study by firewall vendor SonicWall, which tracks threats blocked at network perimeters.
The attacks primarily target internet-connected surveillance systems from Hikvision, the world’s largest CCTV supplier.
At the center of the issue is a command injection vulnerability that allows attackers to execute remote commands on affected cameras — potentially turning them into surveillance tools, entry points, or botnet nodes.
Even though the vulnerability is years old, unpatched and exposed devices continue to attract constant scanning and exploitation attempts.
UK Networks Face Millions of Blocked Intrusions
SonicWall reports that its firewalls blocked over 67 million attempts in 2025 alone, making Hikvision-related attacks the most common intrusion prevention system (IPS) alerts across UK networks.
These attacks accounted for roughly 20% of all medium and high-severity alerts detected in the region.
While most attempts were automatically stopped, the sheer volume shows how aggressively attackers continue to target known weaknesses.
The “Zombie Tech” Problem
Security researchers are now referring to this phenomenon as Zombie Tech — devices that remain active, connected, and vulnerable long after vulnerabilities are publicly disclosed and patched.
Surveillance cameras are particularly problematic because they are often:
- Installed and forgotten
- Rarely updated
- Exposed to the internet
- Deployed across sensitive environments
This makes them ideal entry points for attackers looking to build botnets or gain persistence inside networks.
Hikvision Under Global Scrutiny
The widespread use of Hikvision equipment has already led to restrictions and bans in several countries, including the UK, US, India, Canada, and parts of the EU.
These measures are typically focused on government and critical infrastructure environments rather than full consumer bans, leaving many devices still operational in private and commercial settings.
Earlier research from firms like Fortinet has also shown that attackers continue exploiting older IoT vulnerabilities long after official disclosure — especially in surveillance systems.
Not Just Cameras: Routers Are Also Under Attack
The same report highlights that surveillance devices are not the only target.
Attackers are also actively scanning consumer networking hardware, including TP-Link routers, with hundreds of thousands of recorded intrusion attempts.
One example includes over 602,000 attack attempts targeting TP-Link AX21 devices across monitored environments.
This shows a broader trend: attackers are systematically probing everything connected to the internet — not just high-value enterprise systems.
Why Old Vulnerabilities Still Work
The persistence of these attacks comes down to a simple reality: exploitation scales better than patching.
Even when fixes exist, devices remain vulnerable because:
- Firmware updates are not applied
- Devices are no longer supported
- Network segmentation is missing
- Remote access remains enabled
As SonicWall’s Spencer Starkey noted, attackers are exploiting both advanced enterprise flaws and basic, long-known vulnerabilities at scale.
What Organizations Need to Do Now
To reduce exposure, security teams are being urged to take immediate action:
- Apply firmware and security patches consistently
- Isolate IoT and surveillance devices from core networks
- Disable UPnP where not required
- Replace unsupported legacy hardware
- Restrict or eliminate remote camera access
The Bigger Picture
The Hikvision case is not just about one vendor or one vulnerability.
It’s a reminder that internet-connected devices don’t age out of risk — they age into it.
And as long as legacy systems remain online, attackers will continue treating them as open doors into modern networks.
