What are the specific CVE numbers and severity scores?

Two vulnerabilities were identified: CVE-2025-31700 (CVSS score 8.1), a stack-based buffer overflow in the ONVIF protocol request handler, and CVE-2025-31701 (CVSS score 8.1), a buffer overflow vulnerability in an undocumented RPC upload endpoint.

What can attackers do with these vulnerabilities?

Attackers can write arbitrary data to the stack, overwrite CPU registers and return addresses to achieve remote code execution, overwrite global variables to redirect execution flow, deploy ELF payloads using TFTP, and spawn bind shells, effectively bypassing firmware security mechanisms.

Which Dahua camera models are affected?

Initially the Dahua Hero C1 (DH-H4C) smart cameras were affected, but Dahua's internal audit identified additional vulnerable product lines including IPC-1XXX Series, IPC-2XXX Series, IPC-WX Series, IPC-ECXX Series, SD3A Series, SD2A Series, SD3D Series, SDT2A Series, and SD2C Series running firmware with build timestamps prior to April 16, 2025.

What should users do to protect their Dahua cameras?

Users should isolate Dahua camera web interfaces from the internet, disable UPnP functionality, remove any existing port forwarding rules, and patch all devices to firmware versions released after April 16, 2025.

Advisory

Dahua smart camera flaws enable remote device takeover

Q: What vulnerabilities were discovered in Dahua smart cameras?

Bitdefender cybersecurity researchers discovered vulnerabilities in Dahua's Hero C1 smart camera series that allow unauthenticated attackers to execute arbitrary commands remotely and achieve complete device takeover.

Q: What firmware version was initially tested?

The vulnerabilities were discovered in the Dahua Hero C1 (DH-H4C) smart camera running firmware version V2.810.9992002.0.R with ONVIF version 21.06 and Web UI version V3.2.1.1452137.

Q: How did Bitdefender demonstrate the exploit?

Bitdefender's proof-of-concept demonstration showed attackers writing system commands into memory and executing them through ROP chains. The research team successfully deployed ELF payloads using TFTP and spawned bind shells on port 4444 using LD_PRELOAD techniques.

published: Aug. 2, 2025

Take action: If you have Dahua cameras (Hero C1, IPC-1XXX, IPC-2XXX, IPC-WX, IPC-ECXX, SD3A, SD2A, SD3D, SDT2A, SD2C series) make sure they are isolated from the internet with disables UPnP and no port forwarding. Then update all devices to firmware versions released after April 16, 2025. There's an PoC exploit, so automated attacks will come very soon

Learn More

Bitdefender cybersecurity researchers are reporting vulnerabilities in Dahua's Hero C1 smart camera series that allow unauthenticated attackers to execute arbitrary commands remotely and achieve complete device takeover.

Vulnerabilities summary:

CVE-2025-31700 (CVSS score 8.1): A stack-based buffer overflow in the ONVIF protocol request handler that allows unauthenticated attackers to write arbitrary data to the stack, overwriting CPU registers and return addresses to achieve remote code execution
CVE-2025-31701 (CVSS score 8.1): A buffer overflow vulnerability in an undocumented RPC upload endpoint that enables attackers to overwrite global variables in the .bss memory segment, redirecting execution flow to system calls for remote command execution

Bitdefender's proof-of-concept demonstration shows attackers writing system commands into memory and executing them through ROP chains. The research team successfully deployed ELF payloads using TFTP and spawned bind shells on port 4444 using LD_PRELOAD techniques, effectively bypassing binary signature verification mechanisms built into the firmware.

The security flaws were discovered during routine firmware analysis of the Dahua Hero C1 (DH-H4C) smart camera running firmware version V2.810.9992002.0.R with ONVIF version 21.06 and Web UI version V3.2.1.1452137.

The vulnerabilities initially affected Dahua Hero C1 (DH-H4C) smart cameras, but Dahua's internal security audit identified additional vulnerable product lines of cameras running firmware versions with build timestamps prior to April 16, 2025.

IPC-1XXX Series,
IPC-2XXX Series,
IPC-WX Series,
IPC-ECXX Series,
SD3A Series,
SD2A Series,
SD3D Series,
SDT2A Series,
SD2C Series

Bitdefender reported the vulnerabilities to Dahua on March 28, 2025, and the vendor has released patches for the affected product lines.

Users should isolate Dahua camera web interfaces from the internet, disable UPnP functionality and remove any existing port forwarding rules. Then patch all devices to firmware versions after April 16, 2025.

Dahua smart camera flaws enable remote device takeover

Read More
Critical Vulnerabilities Discovered in InSAT MasterSCADA BUK-TS
Multiple vulnerabilities reported in METZ CONNECT EWIO2 Industrial …
Rockwell Automation Patches Over a Dozen Vulnerabilities in …
Unpatched command Injection flaw reported in Trendnet TEW-713RE …
CISA reports active exploitation of Cross-Site Scripting flaw …