Advisory ID：DHCC-SA-202507-001

First Published：2025-07-23

Cybersecurity is a global challenge affecting all internet-connected devices, regardless of their origin. At Dahua, we are committed to maintaining the highest level of cybersecurity across our products and solutions, prioritising the swift resolution of any reported vulnerabilities. Dahua’s Product Security Incident Response Team (PSIRT) is dedicated to addressing security vulnerabilities promptly, notifying customers of potential risks, and sharing best practices to strengthen cybersecurity awareness.

In response to security issues reported by Bitdefender IoT Research Team, Dahua immediately conducted a comprehensive investigation of affected product models and has developed patches and firmware that fix the vulnerabilities. Please download from https://www.dahuasecurity.com/support/downloadCenter or contact Dahua local technical support to upgrade.

We strongly suggest, consistent with cybersecurity best practice, that all Dahua customers follow our security advisory, in order to ensure their systems are up-to-date and maximally protected. In the meantime, customers with other concerns on cybersecurity related issues, please feel free to contact us at psirt@dahuatech.com.

Summary

1.        CVE-2025-31700

An attacker could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern.

2.        CVE-2025-31701

An attacker could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern.

Vulnerability Score

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/specification-document).

CVE-2025-31700

Base Score：8.1(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score：7.3(E:P/RL:O/RC:C)

CVE-2025-31701

Base Score：8.1(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score：7.3(E:P/RL:O/RC:C)

Affected Products

The following product series are currently known to be partially affected by this issue. For the specific list of affected models, please refer to: https://materialfile.dahuasecurity.com/uploads/soft/20250723/Affected-Models.pdf. Versions with a build date after April 16, 2025 are not affected by this issue.

Note: Please login to the Web interface of the device to view Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).

Fix Software Download

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

l  Cloud Upgrade：For products with cloud upgrade capability, the related repair version will be successively pushed through the cloud upgrade within 30 working days.

l  Dahua Official website: https://www.dahuasecurity.com/support/downloadCenter。

l  Dahua Technical Support Personnel.

Support Resources

For any questions or concerns related to our products and solutions, please contact Dahua PSIRT at psirt@dahuatech.com.

Acknowledgment

We acknowledge the support of Bitdefender IoT Research Team who reported it to Dahua and coordinated with us to handle this vulnerability.

Revision History