Dahua IP Cameras and PTZ: Unauthenticated Buffer Overflow Enables RCE

Summary

Several Dahua IP camera and PTZ families contain a buffer overflow that an unauthenticated attacker can trigger by sending specially crafted packets to the device, leading to crashes or remote code execution. Affected units are those built before the April 16, 2025 firmware cutoff, spanning common IPC and SD product lines used in commercial and infrastructure deployments. Successful exploitation hands an attacker control of an internet- or network-reachable camera without any login.

Affected products

Impact

Remote, unauthenticated exploitation (CVSS 3.1 base 8.1, vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) can crash the device for denial of service or achieve code execution, giving an attacker access to live and stored video, a network foothold, and a node for botnet conscription. The unauthenticated nature and the breadth of affected models make exposed cameras a high-priority exposure.

Remediation

Dahua provides firmware built after April 16, 2025 that remediates the flaw; technically, owners should update immediately, keep camera web interfaces off the public internet, disable UPnP, remove port-forwarding, and isolate cameras on a dedicated VLAN. For US federal, DoD, and federally funded buyers, however, Dahua is barred under Section 889, so patching does not resolve the compliance problem. Uniqcli Security can assess your camera fleet for Dahua and Dahua-OEM hardware and execute a TAA/NDAA-compliant replacement onto Axis, Hanwha, i-PRO, or Bosch with full audit documentation.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2025-31700
• https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psirt
• https://securityaffairs.com/180602/hacking/dahua-camera-flaws-allow-remote-hacking-update-firmware-now.html