Tracked as CVE-2021-36260 and affecting over 70 cameras and NVRs from Hikvision, the critical-severity bug can be exploited to gain root access and completely take over vulnerable devices, without any form of user interaction.

Hikvision released patches for the vulnerability on September 18 and, shortly after, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations, urging them to apply the fixes immediately.

Now, Fortinet warns that attackers are attempting to exploit the vulnerability to deploy various payloads that allow them to probe devices or extract sensitive data.