> root@nvr-mgmt:~# cat /config/network.json | jq '.cameras[].gateway' | sort -u && echo 'VLANs mapped'<span class="cursor-blink">_</span>_
CCTV systems occupy a peculiar position in organisational security. They are, by their explicit purpose, security infrastructure — deployed to deter crime, monitor access points, and provide evidential recordings. They are operated by the facilities or security team. They are funded from the physical security budget. And they are, almost universally, treated as appliances rather than as networked computing devices.
This is a mistake. A modern CCTV system is not a collection of passive cameras feeding analogue signals to a monitor in a guard's office. It is a network of IP-connected devices — cameras, network video recorders, video management servers, analytics engines — running embedded Linux or Windows, communicating over standard IP protocols, storing terabytes of video data, and managed through web interfaces that are functionally identical to any other networked appliance.
And like every other networked appliance we have discussed in this series — the coffee machine, the backup appliance, the building management system — CCTV infrastructure is consistently deployed with less security rigour than the IT systems it sits alongside. Default credentials. Outdated firmware. Exposed management interfaces. Flat network placement.
On this engagement, a CCTV network video recorder became the single most valuable intelligence source we encountered during the entire assessment. It told us more about the client's network than their own documentation did.
The client was a logistics company operating a large distribution centre and an adjacent administrative office. The site handled high-value goods and was subject to insurance requirements mandating comprehensive CCTV coverage. The surveillance system comprised over one hundred and twenty IP cameras covering the warehouse floor, loading bays, perimeter fencing, car parks, office corridors, and reception areas. The cameras fed into a pair of enterprise network video recorders (NVRs) and a centralised video management system (VMS) used by the security control room.
We had been engaged to conduct an internal network penetration test across the corporate and operational environments. The CCTV system was within scope — the client had listed it as part of the facilities infrastructure but had not flagged it as a system of particular concern. It was, in their words, 'just the cameras'.
It was not just the cameras.
During initial network enumeration from the user VLAN (10.10.2.0/24), we identified several devices with HTTP and RTSP services running on a subnet that was not listed in the client's network documentation.
One hundred and twenty-four devices on a subnet that did not appear in the client's network documentation or asset register. The CCTV system had its own VLAN — 10.10.50.0/24 — but the VLAN was fully routable from the corporate user network. No firewall rules restricted access between the user VLAN and the CCTV VLAN. Every camera, every NVR, and the VMS server were accessible from any workstation in the building.
The CCTV VLAN had been configured during the initial installation by the surveillance contractor. It had been created as a separate VLAN for traffic management purposes — to keep the high-bandwidth video streams from saturating the corporate network — rather than for security purposes. The routing between VLANs had been left in its default permissive state.
We focused on NVR-01 at 10.10.50.10 — the primary network video recorder. The device's web management interface was accessible on port 443. The login page displayed the manufacturer's branding and model number.
We tested the manufacturer's documented default credentials.
admin / admin. The most widely documented default credential pair in existence. Unchanged since the NVR was installed in 2021. The firmware had not been updated in three and a half years. NVR-02 had the same credentials. The VMS server used a different default — the vendor's documented alternative — but was equally accessible.
What we found inside the NVR's management interface was far more valuable than the video feeds.
A network video recorder's primary function is to receive video streams from cameras and store them. To do this, the NVR must know where every camera is on the network — its IP address, its subnet, its gateway, its credentials. The NVR's configuration is, effectively, a comprehensive network map of every subnet where cameras are deployed.
This client's cameras were not confined to the CCTV VLAN. They were deployed across multiple network segments — wherever physical coverage was needed. The NVR's configuration revealed the full picture.
The NVR's camera configuration revealed five VLANs — two of which (Warehouse OT and Management) did not appear in the network documentation provided during scoping. It disclosed subnet ranges, gateway addresses, and the IP addresses of one hundred and twenty-one individual hosts. From a single device, accessed with default credentials, we obtained a more complete network map than the client's own documentation provided.
The presence of cameras on the Server VLAN and Management VLAN was particularly significant. These cameras existed to provide physical surveillance of sensitive areas — the server room, the IT office, the security control room. But their presence on these VLANs meant that the NVR required network connectivity to those VLANs to receive the video streams. The CCTV system was, by design, connected to the most sensitive network segments in the organisation.
The NVR's camera configuration disclosed the existence, subnet ranges, and gateway addresses of five VLANs — including two undocumented segments. The CCTV system's operational requirement to connect to cameras on multiple VLANs made the NVR a single point of reconnaissance for the entire network topology.
The NVR stores credentials for every camera it manages — the username and password used to authenticate the RTSP or proprietary video stream. These credentials are configured during installation and stored in the NVR's configuration database.
The NVR's administrative interface included a configuration export function — designed for backup purposes, allowing the administrator to download the complete NVR configuration as a file. We exported the configuration.
The configuration export contained credentials in plaintext — not just for the cameras, but for every service the NVR integrated with. An SMTP account for email alerting. An Active Directory service account used for LDAP user synchronisation. An FTP account for video export. A NAS share credential for backup storage. All with passwords following the same pattern — the function name, the year of installation, and an exclamation mark. All unchanged since 2021.
The Active Directory service account (svc_cctv) was the most significant. We tested its domain permissions.
The svc_cctv account was not a domain administrator — it was a standard domain user with LDAP bind permissions, used only for user directory synchronisation. But in Active Directory, any authenticated domain user can read the directory. The account gave us full enumeration of eight hundred and forty-seven user accounts — usernames, email addresses, group memberships, organisational structure, and manager relationships. This is the information that fuels targeted attacks: password spraying, phishing, and privilege escalation through group membership analysis.
The credentials from the NVR gave us a domain user account and a complete list of usernames. The password pattern from the NVR credentials (function + year + !) suggested an organisational culture of predictable password construction. We conducted a careful, rate-limited password spray against the domain — testing a small number of common passwords against the enumerated user list.
Five domain accounts compromised. The password candidates were derived from the patterns observed in the NVR's stored credentials — the same predictable construction of a word, a year, and a special character. The username list came from the LDAP enumeration performed with the CCTV service account. The entire password spray was built on intelligence gathered from the surveillance system.
One of the compromised accounts — j.harrison — was a member of the IT support group with local administrator rights on workstations. From this account, we performed standard lateral movement techniques (covered in our earlier articles) to escalate to domain administrator.
The individual cameras warranted assessment as well. Each camera was a networked Linux device with its own web interface, running embedded firmware from the manufacturer. Of the one hundred and twenty-one cameras, one hundred and eight retained the manufacturer's default credentials — the same credentials stored in the NVR configuration.
The camera firmware version was consistent across the fleet — a single version deployed during installation and never updated. We identified the firmware version and checked it against the manufacturer's security advisories.
One hundred and twenty-one cameras running firmware with two known critical vulnerabilities — one a command injection flaw that had been actively exploited in the wild by threat actors, including state-sponsored groups targeting surveillance infrastructure. The patches had been available for over three years and two years respectively. Neither had been applied.
Cameras with command injection vulnerabilities are not merely compromised cameras. They are Linux computers on your network under an attacker's control. An attacker who exploits CVE-2021-36260 gains a root shell on the camera — from which they can scan the network, capture traffic, pivot to adjacent devices, and establish persistent access. The camera continues to function normally. It still records video. It still streams to the NVR. It just also does whatever the attacker instructs it to do.
The cameras deployed on the Server VLAN, Management VLAN, and Warehouse OT VLAN are of particular concern. A compromised camera on the Server VLAN is a Linux host on the server network — bypassing any firewall rules that restrict user VLAN access to the servers. A compromised camera on the OT VLAN is a pivot point into the warehouse automation systems.
Beyond the network intelligence, the CCTV system provided physical intelligence that would be valuable to any attacker planning a physical intrusion — precisely the kind of attack the CCTV system was supposed to deter.
With administrative access to the NVR, we could view live and recorded video from all one hundred and twenty-one cameras. The video revealed operational patterns that would assist social engineering or physical intrusion.
| Camera Location | Intelligence Value |
|---|---|
| Reception / Entrance | Visitor sign-in process observable. Badge format and wearing position visible. Tailgating patterns at main entrance identifiable. |
| Server Room | Access control mechanism visible (badge reader model identified). Cabinet positions, rack layout, and cabling visible. Staff access patterns and timing observable. |
| Security Control Room | Number of security staff visible. Shift change timings observable. Monitor layout and blind spots identifiable. Camera coverage gaps derivable. |
| Loading Bays | Delivery schedules and contractor access patterns observable. Unescorted access periods identifiable. Vehicle types and registration plates captured. |
| Car Parks / Perimeter | Staff arrival and departure patterns. Perimeter fence condition and coverage gaps. Guard patrol routes and intervals. |
The irony is stark. The CCTV system existed to provide the organisation with surveillance capability against threats. Compromised, it provided the attacker with that same surveillance capability against the organisation. The security control room camera, in particular, allowed us to observe the security team themselves — how many were on duty, when they changed shifts, which monitors they watched, and which areas had reduced attention.
We did not access or record any personal data from the video feeds. The finding was documented based on the capability demonstrated — that administrative access to the NVR provided unrestricted access to live and recorded feeds from all cameras — without exercising it further.
| Step | Action | Weakness Exploited |
|---|---|---|
| 01 | Identified 124 devices on undocumented CCTV VLAN from user network | CCTV VLAN fully routable from user VLAN; no firewall restrictions |
| 02 | Accessed NVR-01 with admin/admin — full administrative control | Default credentials unchanged since 2021 installation |
| 03 | Extracted complete network topology from camera configuration | Cameras on 5 VLANs; NVR config revealed subnets, gateways, IPs |
| 04 | Extracted plaintext credentials for AD, SMTP, FTP, NAS from NVR config | Credentials stored in plaintext in exportable configuration file |
| 05 | Enumerated 847 domain accounts via LDAP using CCTV service account | AD LDAP readable by any authenticated domain user |
| 06 | Password spray yielded 5 domain accounts using CCTV-derived patterns | Predictable password patterns; no account lockout on spray |
| 07 | Identified 121 cameras with 2 critical unpatched CVEs | Firmware not updated in 4+ years; cameras are potential pivot points |
The most impactful architectural change is moving cameras onto a dedicated CCTV VLAN with strict firewall rules. Cameras should communicate only with the NVR — no lateral communication between cameras, no access to other VLANs, no internet access. The cameras currently deployed on the Server VLAN, Management VLAN, and OT VLAN should be physically recabled to switch ports assigned to the CCTV VLAN, with the video stream routed to the NVR through controlled firewall rules. This eliminates the cameras as pivot points between network segments.
802.1X port authentication for camera network ports prevents an attacker from disconnecting a camera and connecting their own device to the network port — gaining the camera's network position and VLAN access. Without 802.1X, any device plugged into a camera's network cable inherits the camera's network connectivity.
NVR management access must be restricted to dedicated security workstations on a management VLAN — not accessible from the general user network. The NVR's configuration export function should require multi-factor authentication or be disabled entirely, as it provides plaintext access to every credential the system stores.
Most fundamentally, formal ownership of the CCTV system must be assigned to the IT security team. The ownership gap — where facilities manages the physical cameras, IT manages the network, and nobody manages the firmware or credentials — is the root cause of every finding in this engagement. A single team must be accountable for the security posture of the CCTV infrastructure: firmware currency, credential management, network segmentation, and access control.
There is a particular irony in compromising an organisation through its surveillance system. The cameras exist to watch for threats. The NVR exists to record evidence. The VMS exists to give the security team visibility. And yet, when those systems are deployed with default credentials, unpatched firmware, and unrestricted network access, they provide an attacker with more visibility than the security team has ever used them for.
The NVR gave us a network map. It gave us credentials. It gave us a domain user account. It gave us a username list. It gave us password patterns. It gave us physical surveillance intelligence. It gave us the attack surface of one hundred and twenty-one unpatched Linux devices distributed across five network segments. All from a single device, accessed with a password that is printed in the first chapter of the installation manual.
CCTV systems are security infrastructure. They should be secured like security infrastructure — with the same rigour applied to firewalls, access control systems, and intrusion detection platforms. Because when a security system is compromised, the attacker does not merely bypass it. They inherit it.
Until next time — stay sharp, stay curious, and change the default password on your NVR. It has been admin/admin since installation, and we both know it.
This article describes a penetration test conducted under formal engagement with full written authorisation from the client. All identifying details have been altered or omitted to preserve client confidentiality. Video feeds were accessed only to the extent necessary to confirm the capability — no recordings were made, stored, or exfiltrated. CCTV footage may contain personal data subject to GDPR and the Data Protection Act 2018. Unauthorised access to surveillance systems may constitute offences under the Computer Misuse Act 1990 and the Regulation of Investigatory Powers Act 2000. Do not attempt to replicate these techniques without proper authorisation.
Hedgehog Security assesses surveillance infrastructure with the same rigour we apply to any networked system. We test NVR and VMS credentials, camera firmware, network segmentation, credential storage, and the pivot potential of cameras deployed across multiple network segments. Your CCTV system sees everything. Make sure an attacker does not see it too.