Endpoint Security,
Internet of Things Security
Unauthenticated Vulnerabilities Enable Complete Remote Code Execution
Unauthenticated attackers can remotely control Dahua Hero C1 smart cameras by exploiting certain firmware vulnerabilities, as stated by Bitdefender in a coordinated disclosure released Wednesday.
Related Insight: Gartner Report | Magic Quadrant for SD-WAN
Bitdefender has identified one significant flaw linked to the firmware’s handling of ONVIF protocol messages, which is used for command transmission between security cameras and software. Another flaw involves an undocumented file upload endpoint.
“The successful exploitation of these vulnerabilities grants attackers root-level access to the camera without any user interaction,” Bitdefender explained. “The exploit path circumvents firmware integrity checks, enabling the execution of unsigned payloads and the potential establishment of persistent mechanisms through custom daemons, complicating remediation efforts.”
Dahua Technology issued patches for these vulnerabilities on July 7 and later published an advisory on July 23. The Dahua Hero C1 smart camera is particularly aimed at small business owners. Although Dahua’s revenue for 2024 was approximately $4.5 billion, the company remains on several U.S. blacklists.
The primary vulnerability, tracked as CVE-2025-31700, is a stack-based buffer overflow resulting from a malformed HTTP header. Bitdefender reports that an attacker can overwrite stack data arbitrarily, provided the payload avoids certain characters, leading to full control over CPU registers and execution redirection.
The second vulnerability, CVE-2025-31701, emerges from the camera’s handler for an undocumented endpoint, permitting an attacker to overflow a buffer in the .bss section using the header field in session initiation protocol messages. A flaw in the implementation of a specific C function allows the camera to directly copy the header into the vulnerable buffer.
Additionally, in 2019, the Department of Commerce added Dahua to its entity list, creating a presumption of denial for U.S. companies wishing to sell technology to foreign firms. This decision was influenced by Dahua’s involvement in the repression of Uighur and Kazakh minorities in China’s Xinjiang region.
In November 2022, the Federal Communications Commission finalized a ban on future authorizations of Dahua equipment. Governments in Canada, Britain, and Australia have similarly expressed concerns regarding Chinese surveillance technology in their jurisdictions.
Past vulnerabilities in Dahua cameras reveal a troubling pattern; for example, in 2022, Nozomi Networks identified CVE-2022-30563, which was linked to the handling of login information in the ONVIF implementation of some Dahua devices. Recently, two vulnerabilities from 2021 were added to the U.S. Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities.
In light of these risks, Bitdefender recommends that users avoid exposing the web interface of vulnerable Dahua camera models to the internet. They advise disabling Universal Plug and Play networking and port forwarding, as devices employing UPnP are particularly vulnerable. It is also suggested to isolate the camera on a dedicated virtual local area network to enhance security.
