Eyes on the Front: Iranian Threat Actors Weaponize IP Cameras in Middle East Conflict

As modern warfare increasingly moves into the digital realm, a new report from Check Point Research (CPR) reveals how cyber operations are being used as a “force multiplier” for kinetic military action. Researchers have identified an intensified campaign by Iranian-nexus threat actors to compromise IP cameras across the Middle East, potentially serving as a real-time reconnaissance tool for missile operations and battle damage assessment (BDA).

The targeting, which began spiking on February 28, spans several countries including Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus.

The compromise of network-connected cameras has become a central part of Iranian cyber-military doctrine. According to the report, “Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches”.

The report points to a historical precedent. During a 2025 conflict, Iran reportedly struck Israel’s Weizmann Institute of Science with a ballistic missile after having “taken control of a street camera facing the building just prior to the hit”.

The threat actors are not using groundbreaking new exploits. Instead, they are relying on a series of well-known vulnerabilities in popular devices from manufacturers like Hikvision and Dahua.

• CVE-2017-7921: A legacy improper authentication flaw in Hikvision firmware.
• CVE-2021-36260: A critical command injection vulnerability in Hikvision’s web server.
• CVE-2021-33044: An authentication bypass vulnerability affecting multiple Dahua products.
• CVE-2025-34067: A recent unauthenticated remote code execution (RCE) vulnerability in Hikvision’s management platform.

While patches are available for all these flaws, the sheer number of exposed, unpatched devices provides a vast “reconnaissance network” for adversarial use.

The spikes in camera-targeting activity are closely aligned with significant regional events. For instance, waves of activity in mid-January coincided with the peak of internal anti-regime protests in Iran and the temporary closure of its airspace.

The report notes that “tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity”.