CVE-2017-9315

high-risk
Published 2017-11-28

Customer of Dahua IP camera or IP PTZ could submit relevant device information to receive a time limited temporary password from Dahua authorized dealer to reset the admin password. The algorithm used in this mechanism is potentially at risk of being compromised and subsequently utilized by attacker.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Ipc-Hfw1Xxx Firmware
Ipc-Hfw2Xxx Firmware
Ipc-Hdbw4Xxx Firmware
Ipc-Hf5Xxx Firmware
Ipc-Hfw5Xxx Firmware
Ipc-Hdw5Xxx Firmware
Ipc-Hdbw5Xxx Firmware
Ipc-Hf8Xxx Firmware
Ipc-Hfw8Xxx Firmware
Dh-Sd2Xxxxx Firmware
Ipc-Pdbw8Xxx Firmware
Psd8Xxxx Firmware
Dh-Sd4Xxxxx Firmware
Dh-Sd6Xxxxx Firmware
Ipc-Hdw1Xxx Firmware
Ipc-Hdbw1Xxx Firmware
Ipc-Hdw2Xxx Firmware
Ipc-Hdbw2Xxx Firmware
Ipc-Hfw4Xxx Firmware
Ipc-Hdw4Xxx Firmware

Affected Vendors

Dahuasecurity

References (2)

Vendor Advisory http://www.dahuasecurity.com/annoucementsingle/security-advisory--admin-password...
Vendor Advisory http://www.dahuasecurity.com/annoucementsingle/security-advisory--admin-password...
54
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 21/34 · High