Attackers are exploiting CVE-2021-36260, a command injection vulnerability in Hikvision devices, using a novel technique involving the 'mount' command as a GTFOBin. This method allows them to mount a remote NFS share and execute malicious files, bypassing common network signatures. The technique has been added to VulnCheck's go-exploit framework. The attacks originate from specific IP addresses and utilize Mirai-like payloads. Over one million potentially vulnerable internet-facing targets are still exposed, making this exploit highly viable for internal pivots or building proxy networks. Advanced threat actors like Flax Typhoon and Fancy Bear have been associated with exploiting this vulnerability.