Bitdefender cybersecurity experts have uncovered two severe vulnerabilities in popular Dahua smart cameras, including the Dahua Hero C1 (DH-H4C) series. These flaws could allow unauthenticated attackers to remotely execute arbitrary commands, effectively taking complete control of the affected devices. Given that these cameras are widely used for surveillance in both commercial and private settings, the security implications are significant. The vulnerabilities were responsibly disclosed to Dahua, which has since released patches to address the issue.
The first vulnerability, identified as CVE-2025-31700 with a high CVSS score of 8.1, is a stack-based buffer overflow. It exists in the camera’s ONVIF protocol handler, which listens on port 80. An attacker can exploit this flaw without authentication by sending a specially crafted Host header. The firmware incorrectly parses this header, and if it contains a ‘]’ character not followed by a ‘:’, a strncpy function call receives an incorrect size parameter. This allows an attacker to write an arbitrary number of bytes to the stack, overwrite the return address, and ultimately execute malicious code through a Return-Oriented Programming (ROP) chain.
RPC Endpoint Buffer Overflow (CVE-2025-31701)
The second flaw, tracked as CVE-2025-31701 and also rated with a CVSS score of 8.1, affects an undocumented Remote Procedure Call (RPC) upload endpoint. By sending a long HTTP header to this endpoint, an attacker can trigger a buffer overflow in the .bss memory segment. This allows the attacker to overwrite global variables, hijack system calls, and achieve full remote code execution. Like the first vulnerability, this attack does not require any authentication, making it particularly dangerous.
Affected Models and Impact
Initially found in the Dahua Hero C1 series, Dahua later confirmed that several other models are also vulnerable. These include the IPC-1XXX, IPC-2XXX, IPC-WX, IPC-ECXX, SD3A, SD2A, SD3D, SDT2A, and SD2C series running firmware versions older than April 16, 2025. The risk is highest when these cameras are exposed to the internet, for example, through port forwarding or Universal Plug and Play (UPnP). A successful attack grants root access to the device without any user interaction, enabling hackers to install persistent malware or bypass firmware integrity checks.
Mitigation and User Recommendations
Following a coordinated disclosure process that began in March 2025, Dahua released patched firmware on July 7, 2025. All users of the affected camera models are strongly advised to update their device firmware to a version released after April 16, 2025, as soon as possible. Additionally, it is recommended to avoid exposing cameras directly to the internet. Users should disable UPnP and any port forwarding rules for their cameras and, for enhanced security, isolate IoT devices on a separate network segment.
Reference:
