- Dahua CCTV FOWS identified by Bitdefender affects more than 100 popular security camera models
- Vulnerabilities allow the execution of the remote code without authentication through local or internet connections
- The company urges firmware updates and network isolation to avoid exploitation
Bitdefender researchers have announced two critical vulnerabilities that affect a large number of Dahua smart cameras.
The failures, which were matched in the most recent firmware update, could allow non -authenticated attackers to take total control of the affected devices.
Dahua has confirmed that a total of 126 models were affected, including multiple devices of the IPC, SD and DH series, not only the Hero C1 model first informed for the first time.
Patch now
The first of the vulnerabilities, CVE-2025-31700, is an buffer overflow failure in the Dahua camera firmware that can be activated when the device processes specially designed network packages. If it is exploited, it could cause the camera to block or, in some cases, allow a remote attacker to execute its own code on the device.
The second, CVE-2025-31701, is another problem of buffer overflow that is also exploitable through maliciously elaborate packages sent through the network. It can also be used to block the camera or potentially obtain a complete remote control depending on the target defenses.
Both can be exploited to execute arbitrary code with root privileges.
Bitdefender deprived of Dahua privately on March 28, 2025. The manufacturer of Chinese video surveillance equipment recognized the report the next day and validated the findings before April 1.
He requested some time to prepare a solution for the problems, and the patches were finally implemented last month, followed by the agreed public dissemination.
The two vulnerabilities can be especially dangerous for accessible devices from the Internet through the forwarding of ports or UPNP, since no authentication is required for possible exploitation.
Bitdefender warns that successful attacks could avoid firmware integrity verifications and implement a persistent malicious code, which makes cleanliness difficult.
Dahua, the second largest CCTV manufacturer in the world behind Hikvision, has faced scrutiny in several countries about cybersecurity problems and data privacy concerns, particularly related to possible vulnerabilities in its devices connected to the network.
It maintains a response team to product security incidents (PSirt) to coordinate with researchers on reported defects, as in the case of these vulnerability revelations.
He urges all clients who have not yet done so to update their camera firmware as an emergency issue.
For anyone who cannot do it immediately, he advises to disconnect vulnerable devices from direct Internet access, disable UPNP and isolate cameras in separate networks to reduce the risk.
A detailed list of models affected in the Dahua online notice is included, together with links to the patched firmware.
Both Dahua and Bitdefender Stress The devices connected to the Internet should be considered main objectives.
