Skip to main content

Dahua CVE-2025-31703

| EUVDEUVD-2025-208815 LOW
Authentication Bypass by Primary Weakness (CWE-305)
2026-03-18 dahua
2.4
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.4 LOW
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 08:00 euvd
EUVD-2025-208815
Analysis Generated
Mar 18, 2026 - 08:00 vuln.today
CVE Published
Mar 18, 2026 - 07:13 nvd
LOW 2.4

DescriptionCVE.org

A vulnerability found in Dahua NVR/XVR device. A third-party malicious attacker with physical access to the device may gain access to a restricted shell via the serial port, and bypasses the shell's authentication mechanism to escalate privileges.

AnalysisAI

This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.

Technical ContextAI

The vulnerability exists in Dahua's NVR/XVR device firmware's serial console implementation, which fails to properly enforce authentication controls. The root cause aligns with CWE-305 (Missing Cryptographic Steps), indicating that the authentication bypass mechanism lacks proper cryptographic or verification safeguards on the serial interface. The affected products (cpe:2.3:a:dahua:nvr2-4ks3, cpe:2.3:a:dahua:xvr4232an-i/t, cpe:2.3:a:dahua:xvr1b16h-i/t) are enterprise-grade video surveillance devices that typically expose a serial debug port for maintenance and diagnostics. This serial interface is intended to be protected but lacks adequate authentication enforcement, allowing an attacker to interact with restricted shell commands without proper credential validation.

RemediationAI

Dahua has released firmware patches addressing this vulnerability; devices should be updated to firmware builds dated March 3, 2026 or later. Organizations should prioritize patching for NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T units according to Dahua's official release schedule available on their PSIRT page. Until patches can be deployed, implement compensating controls by restricting physical access to serial ports on affected devices (use cable locks or restricted server room access), disable serial console ports if not operationally required, and ensure devices are housed in physically secure locations with access logs. Consider reviewing physical security policies for surveillance infrastructure deployments to minimize unauthorized access risk. Refer to the official Dahua security advisory for device-specific patching procedures and to VulDB (https://vuldb.com/?id.351509) for additional technical details on the vulnerability.

More in Dahua

View all
CVE-2017-7925 CRITICAL POC
9.8 May 06

A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX,

CVE-2013-6117 HIGH POC
7.5 Jul 11

Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive informatio

CVE-2013-3612 CRITICAL POC
10.0 Sep 17

Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which

CVE-2013-3614 CRITICAL POC
9.3 Sep 17

Dahua DVR appliances have a small value for the maximum password length, which makes it easier for remote attackers to o

CVE-2013-3613 HIGH POC
7.8 Sep 17

Dahua DVR appliances do not properly restrict UPnP requests, which makes it easier for remote attackers to obtain access

CVE-2023-3836 CRITICAL POC
9.8 Jul 22

A vulnerability classified as critical was found in Dahua Smart Park Management up to 20230713. Rated critical severity

CVE-2021-33045 CRITICAL POC
9.8 Sep 15

The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical s

CVE-2021-33044 CRITICAL POC
9.8 Sep 15

The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical s

CVE-2013-3615 HIGH POC
7.8 Sep 17

Dahua DVR appliances use a password-hash algorithm with a short hash length, which makes it easier for context-dependent

CVE-2017-7253 HIGH POC
8.8 Mar 30

Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Rated high severity (CVSS 8.8), this vulnerabi

CVE-2017-7927 HIGH POC
7.3 May 06

A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC

CVE-2019-3948 HIGH POC
7.5 Jul 29

The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0

Share

CVE-2025-31703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy