Mod Edit: Investigation of latest firmware after a router detected port scanning

If there wasn’t an issue then why is this thread here?

Interesting must be a user error we dud all of our 86 cams and our service technicians had no issues with them…most people have know clue how the camera works all they want is to open there app and hope it works

As Gwen said, is very interested in hearing about these issues. This thread is an indication people are experiencing something. It could be the new firmware is misbehaving, as has happened with excessive DNS lookups in the past. They need to hear of issues so they can address them, so please contact them. Thanks! :slight_smile:


This is, actually, the opposite of the original poster’s report (that the V3 was the source and scanning other devices).

If you turned off your cameras and are still seeing the alerts than either the P2P servers are still trying to answer old requests or there is some kind of error or backlog at the router.

Hi All,

It looks like that my Wyze Cam 3 not only tried to scan ports on devices on my lan , but lately tried to establish VPN connection with some IP clearly not belonging to Wyze.

See the screenshot

Any comments?
For Wyze, it would be very easy to either confirm if this IP belongs to them OR to their trusted contractors or admit they have no idea why their camera connects to this IP.

If latter is true, then we likely have SolarWind-style attack on Wyze.

Also from my observations, whoever is manipulating with the backdoor in Wyze firmware, they are being patient and careful allowing days or weeks between manipulation attempts.
They are not in a rush looks like.

Have you forwarded this info to


Yes. You really have to stop trusting your router’s mediocre reporting so much and extrapolating so much malice and breadth from so very little evidence.

Leaseweb USA (the owner of the address in question) appears to be one of the usual set of hosting providers used by Wyze’s P2P vendor TUTK, this one located in Phoenix. Your router’s claim that it is a VPN connection is very likely wrong, though SSL/TLS is probably used.

Please feel free, as suggested, to take up Wyze’s security team’s time and report back their findings, but I think you are once again overreacting massively.

See also

Search results for 'leaseweb' - Wyze Forum

1 Like

Hi, their security team just replied claiming this IP is legit.

So it should be false alarm then.

Probably router’s AI was too agitated by previous findings about this device on my network.


Thanks for reporting back, good to hear!

1 Like

Not sure why my router is reacting to this specific device. I have like 50 devices on my lan and several years of quietness of my router’s AI reporting .

Probably Wyze is doing stuff unusual way

Some of the Wyzes are definitely guilty of excessive queries / activity. There are several threads about the V3s generating thousands of needless DNS queries per hour. So that may be part of it.

1 Like

They may have also recently updated the AI.

1 Like


Another thing puzzling me is if that is a part of legit process then should it be happening everyday or at least every camera reboot?

Obviously it is not.

So this pattern puzzles me - once in several weeks connection VPN or lan devices poscan.

I would understand that better if it was regular activity

Next time it happens, try submitting a log as soon as possible. Then contact with the log number. If the V3 is misbehaving, maybe they can focus on the cause and correct it.


iPhone on my network just got infected with something.
Not sure if Wyze’s camera port scan of my lan devices 3 days ago had something to do with it .
But it is definitely looks suspicious.

out of sudden so many events separated by days resulting in infection of another lan device…
I have to stop it.

Tell me what to do if you have better idea

Again this might be a coincidence of reparate independent events but given their individual rarety (once in several years) jamming all of them in the span of just two weeks after Wyze firmware upgrade is very unlikely

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.