Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices.
"The flaws, affecting the device's ONVIF protocol and file upload handlers, allow unauthenticated attackers to execute arbitrary commands remotely, effectively taking over the device," Bitdefender said in a report shared with The Hacker News.
The vulnerabilities, tracked as CVE-2025-31700 and CVE-2025-31701 (CVSS scores: 8.1), affect the following devices running versions with built timestamps before April 16, 2025 -
- IPC-1XXX Series
- IPC-2XXX Series
- IPC-WX Series
- IPC-ECXX Series
- SD3A Series
- SD2A Series
- SD3D Series
- SDT2A Series
- SD2C Series
It's worth noting that users can view the build time by logging in to the web interface of the device and then navigating to Settings -> System Information -> Version.
Both shortcomings are classified as buffer overflow vulnerabilities that could be exploited by sending specially crafted malicious packets, resulting in denial-of-service or remote code execution (RCE).
Specifically, CVE-2025-31700 has been described as a stack-based buffer overflow in the Open Network Video Interface Forum (ONVIF) request handler, while CVE-2025-31701 concerns an overflow bug in the RPC file upload handler.
"Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation," Dahua said in an alert released last week. "However, denial-of-service (DoS) attacks remain a concern."
Given that these models are used for video surveillance in retail, casinos, warehouses, and residential settings, the flaws can have significant consequences as they are unauthenticated and exploitable over the local network.
"Devices exposed to the internet through port forwarding or UPnP are especially at risk," the Romanian cybersecurity company said. "Successful exploitation provides root-level access to the camera with no user interaction. Because the exploit path bypasses firmware integrity checks, attackers can load unsigned payloads or persist via custom daemons, making cleanup difficult."
