Cybersecurity researchers have disclosed critical security flaws that have now been patched in the firmware of Dahua smart cameras, allowing attackers to hijack control of sensitive devices.
“The flaws affecting the device’s ONVIF protocol and file upload handlers allow unauthorized attackers to execute arbitrary commands remotely and effectively take over the device,” Bitdefender said in a report shared with Hacker News.
Vulnerabilities tracked as CVE-2025-31700 and CVE-2025-31701 (CVSS score: 8.1) affect the following devices running versions with build timestamps by April 16, 2025 –
IPC-1XXX Series IPC-2XXX Series IPC-WX Series IPC-ECXX Series SD3A Series SD2A Series SD3D Series SDT2A Series SD2C Series
Users log in to the device’s web interface and[>[>]Note that you can view the build times by going to System Information -> Version.
Both drawbacks are classified as buffer overflow vulnerabilities that can be exploited by sending specially crafted malicious packets, resulting in denial of service or remote code execution (RCE).
Specifically, CVE-2025-31700 is described as a stack-based buffer overflow for Open Network Video Interface Forum (ONVIF) request handlers, while CVE-2025-31701 is about an overflow bug in the RPC file upload handler.
“Some devices may have protection mechanisms deployed, such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation,” Dahua said in an alert released last week. “But denial of service (DOS) attacks continue to be a concern.”
Given that these models are used for video surveillance for retail, casinos, warehouses and residential use, flaws can have serious consequences as they are recognized and exploitable by local networks.
“Devices exposed to the internet via port forwarding or UPNP are particularly at risk,” says the Romanian cybersecurity company. “The success of the exploit provides root-level access to the camera without user interaction. The exploit path bypasses firmware integrity checks, allowing attackers to load unsigned payloads or persist through custom daemons, making cleanup difficult.”
Source link
