Crucial Flaws Present in Dahua Cameras

Unauthenticated attackers may remotely hijack Dahua Hero C1 sensible cameras by exploiting firmware vulnerabilities, Bitdefender warned in a coordinated disclosure revealed Wednesday.

See Additionally: Gartner Report | Magic Quadrant for SD-WAN

Bitdefender mentioned one flaw resides in how the firmware handles ONVIF protocol messages. The protocol as soon as stood for “Open Community Video Interface Discussion board” and is an business normal for transmitting instructions between software program and networked safety merchandise comparable to cameras. The opposite flaw is an undocumented file add endpoint.

“Profitable exploitation offers root-level entry to the digital camera with no person interplay,” Bitdefender mentioned. “As a result of the exploit path bypasses firmware integrity checks, attackers can load unsigned payloads or persist by way of customized daemons, making cleanup tough.”

Dahua Technoloy launched patches on July 7 and revealed and advisory on July 23. The Dahua Hero C1 sensible digital camera is designed for small enterprise homeowners. The partially Chinese language government-owned company reported roughly $4.5 billion in income throughout 2024 however is on a lot of U.S. blacklists.

The primary vulnerability, tracked as CVE‑2025‑31700, is a stack-based buffer overflow triggered by a malformed HTTP header. Based on Bitdefender, an attacker can write an arbitrary variety of bytes to the stack, “so long as the payload doesn’t comprise a ] character or a null byte.” This permits for a whole overwrite of CPU registers, processors that maintain information and directions throughout processing, and execution redirection. Bitdefender’s proof of idea makes use of this flaw to drop an executable and linkable format payload and “spawn a bind shell on port 4444 utilizing LD_PRELOAD, bypassing binary signature checks.”

The second flaw, CVE‑2025‑31701, resides within the digital camera’s handler for an undocumented endpoint. It permits an attacker to overflow a .bss part buffer utilizing the command sequence header subject that seems in session initiation protocol messages. The digital camera copies the header instantly into the buffer as a result of a flawed implementation of a C programming language operate that copies strings.

The Division of Commerce added Dahua in 2019 to its checklist of firms for which there exists a presumption of denial for U.S. firms in search of permission to promote expertise to overseas firms. The federal authorities cited Dahua’s position in marketing campaign of repression perpetuated by Beijing towards members of predominately Muslim Uighur and Kazakh ethnicities within the Chinese language northwest Xinjiang area.

The Federal Communications Fee in November 2022 finalized a ban on future authorizations of Dahua gear.

The Canadian, British and Australian governments have additionally pressured Chinese language surveillance machine makers of their respective international locations.

Dahua isn’t any stranger to flaws – not even to flaws based mostly on its dealing with of ONVIF messages. Nozomi Networks in 2022 recognized a flaw tracked as CVE-2022-30563 stemming from how some Dahua cameras carried out the specification’s dealing with of login info. The U.S. Cybersecurity and Infrastructure Safety Company in August 2024 added two Dahua vulnerabilities first recognized in 2021 to its checklist of recognized exploited vulnerabilities.

Bitdefender advisable customers “keep away from exposing the Dahua digital camera net interface of weak fashions to the web” and to disable Common Plug and Play networking and port forwarding. Units with UPnP – which sends out multicast messages on an area community to find different gadgets – are particularly in danger. The cybersecurity agency additionally suggested isolating the digital camera by itself digital native space community.