CVE-2021-33045

critical-risk

Published 2021-09-15

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

Do I need to act?

94.1% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (19)

Ipc-Hum7Xxx Firmware

Ipc-Hx3Xxx Firmware

Ipc-Hx5Xxx Firmware

Nvr-1Xxx Firmware

Nvr-2Xxx Firmware

Nvr-4Xxx Firmware

Nvr-5Xxx Firmware

Nvr-6Xx Firmware

Vth-542Xh Firmware

Vto-65Xxx Firmware

Vto-75X95X Firmware

Xvr-4X04 Firmware

Xvr-4X08 Firmware

Xvr-4X04 Firmware

Xvr-5X04 Firmware

Xvr-5X08 Firmware

Xvr-5X16 Firmware

Xvr-7X16 Firmware

Xvr-7X32 Firmware

Affected Vendors

Dahuasecurity

References (7)

Exploit http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html

Exploit http://seclists.org/fulldisclosure/2021/Oct/13

Vendor Advisory https://www.dahuasecurity.com/support/cybersecurity/details/957

Exploit http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html

Exploit http://seclists.org/fulldisclosure/2021/Oct/13

Vendor Advisory https://www.dahuasecurity.com/support/cybersecurity/details/957

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 27/34 · High

Exposure 19/34 · Moderate