A Camera for Security — or a Trojan with a Lens? Dahua Betrays Its Users
Millions of devices became gateways for hacker intrusion.
Millions of devices became gateways for hacker intrusion.
Researchers from Bitdefender have disclosed two critical vulnerabilities in the firmware of Dahua smart surveillance cameras. These issues affect the implementation of the ONVIF protocol and the file upload mechanism, allowing attackers to take full control of the device without any authentication.
The vulnerabilities are identified as CVE-2025-31700 and CVE-2025-31701, both rated 8.1 on the CVSS scale. They impact a wide range of Dahua camera models, including the IPC-1XXX, IPC-2XXX, IPC-WX, IPC-ECXX series, as well as PTZ (pan-tilt-zoom) and speed dome models like SD2A, SD2C, SD3A, SD3D, and SDT2A — if their firmware was built before April 16, 2025. Users can check the firmware build date through the device’s web interface under System Information.
Both vulnerabilities are buffer overflow-related.
- CVE-2025-31700 is a stack overflow flaw in the ONVIF request handler — ONVIF being a widely used open standard for video surveillance and access control in IP cameras.
- CVE-2025-31701 lies in the RPC file upload handler, enabling an attacker to trigger an overflow and inject arbitrary code into the system.
Even though some devices may have mitigation mechanisms like ASLR in place, these do not eliminate the risk of DoS (Denial of Service) attacks, and under certain conditions, even remote code execution is possible.
Dahua cameras, used across diverse environments — from retail and warehouses to casinos and residential complexes — become especially vulnerable when exposed through port forwarding or UPnP. In such scenarios, an attacker can bypass all authentication, gain root-level access, and execute any commands, including implanting their own software and launching persistent services that survive reboots.
A particularly dangerous aspect is that the vulnerabilities allow bypassing firmware integrity checks. This means an attacker could install unsigned executables and maintain persistence on the device, making remediation extremely difficult.
According to Bitdefender, the attack surface in such devices remains significant — especially considering many cameras rarely receive timely security updates or are completely disconnected from centralized management. This creates a situation where even a single exploit can lead to mass infection of surveillance systems and serve as an entry point for further attacks on corporate or personal infrastructure.
Dahua has already released firmware updates that fix both vulnerabilities and strongly urges all users of the affected models to immediately install the latest versions. Since both flaws allow unauthorized remote code execution, delaying the update could have severe consequences, especially if the devices are accessible via the internet.
