Dahua Cameras

Dahua Cameras Get the Starring Role in Their Own Horror Film

Security researchers at Bitdefender uncovered two critical buffer-overflow bugs (CVE-2025-31700, CVE-2025-31701, CVSS 8.1) in Dahua smart-camera firmware built before 16 April 2025. One flaw sits in the ONVIF request handler, the other in the RPC file-upload routine. An unauthenticated attacker can sling a specially crafted packet and gain root control either crashing the camera or loading their own code even bypassing firmware-integrity checks. Nine popular Dahua ranges are affected (IPC-1/2/WX/ECXX, plus several SD PTZ lines). Devices exposed to the internet via port-forwarding or UPnP are most at risk. Dahua has shipped patched firmware; users should update, disable unnecessary ports and avoid public exposure.

Patch your CCTV, or the villains get front-row seats.

Bitdefender has found two corkers of bugs in Dahua smart cameras that could let anyone from script kiddies to Ocean’s Eleven waltz in and take charge.

What went wrong?
• CVE-2025-31700 – a stack-overflow in the ONVIF protocol (the bit that lets video gear talk nicely).
• CVE-2025-31701 – a matching bug in the file-upload handler. Fire either exploit at a vulnerable camera and you land a root shell faster than you can say “cheese”.

Who’s in the firing line?
Nine camera families, including the IPC-1XXX and SD PTZ models you see everywhere from corner shops to casino floors. Anything built before 16 April 2025 is on the naughty list.

Why you should care
Unauthenticated = no password needed. Exposed to the internet = candy-shop for bots. Attackers can:
1. Crash the feed (denial-of-service).
2. Install their own firmware, hide in plain sight, and maybe join the next botnet fashion show.
Fix, and fix now
1. Grab the latest firmware from Dahua’s support portal.
2. Kill any lazy port-forwarding or UPnP rules.
3. Stick cameras behind a VPN or at least a firewall rule tighter than a jar of Branston Pickle.
Smile—you’re now (actually) on camera.