Advisory
Dahua / Hikvision NVR exposure — unchanged in 2026
Four years into the known vulnerability window, Dahua and Hikvision NVRs remain the single most commonly-exploited physical-security asset in Canada. The right response isn't patching — it's replacement.
Affects
Dahua and Hikvision-branded NVRs remain, by volume, the most commonly internet-exposed physical-security asset in the Canadian market. Recent scans still find tens of thousands of them running unpatched firmware with default or bruteforceable credentials.
Publicly available exploit tooling turns these devices into access points — for botnets, pivot points into commercial networks, or live-feed exfiltration. The problem isn't hypothetical; it's in active use.
Many were installed by residential or small-commercial integrators who disappeared years ago. The clients inherited the risk without inheriting the knowledge. If you're running one of these, the right move is a replacement, not a patch cycle.
Mitigation
What to do this week.
- 01Audit for Dahua / Hikvision branded equipment. Don't assume an installer's shell-branded unit isn't actually one of these.
- 02Remove from public internet immediately. Even if patched, the CVE history warrants isolation.
- 03Plan replacement with a modern platform. Budget this as a risk-mitigation project, not an upgrade.
- 04In the interim: credential rotation, firmware update, and a documented network isolation plan.
Want us to apply this to your system?
A 30-minute remote review against this advisory, no obligation. We'll tell you on the call whether you're exposed and what the fix looks like.
Book a review