CVE-2019-9677

high-risk
Published 2019-09-18

The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019.

Do I need to act?

-
0.86% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (9)

Ipc-Hdw1X2X Firmware
Ipc-Hfw1X2X Firmware
Ipc-Hdw2X2X Firmware
Ipc-Hfw2X2X Firmware
Ipc-Hdw4X2X Firmware
Ipc-Hfw4X2X Firmware
Ipc-Hdbw4X2X Firmware
Ipc-Hdw5X2X Firmware
Ipc-Hfw5X2X Firmware

Affected Vendors

Dahuasecurity

References (2)

Patch https://www.dahuasecurity.com/support/cybersecurity/details/637
Patch https://www.dahuasecurity.com/support/cybersecurity/details/637
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 15/34 · Moderate