EUVD-2025-208815CVSS Vector
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Lifecycle Timeline
3Description
A vulnerability found in Dahua NVR/XVR device. A third-party malicious attacker with physical access to the device may gain access to a restricted shell via the serial port, and bypasses the shell's authentication mechanism to escalate privileges.
Analysis
This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.
Technical Context
The vulnerability exists in Dahua's NVR/XVR device firmware's serial console implementation, which fails to properly enforce authentication controls. The root cause aligns with CWE-305 (Missing Cryptographic Steps), indicating that the authentication bypass mechanism lacks proper cryptographic or verification safeguards on the serial interface. The affected products (cpe:2.3:a:dahua:nvr2-4ks3, cpe:2.3:a:dahua:xvr4232an-i/t, cpe:2.3:a:dahua:xvr1b16h-i/t) are enterprise-grade video surveillance devices that typically expose a serial debug port for maintenance and diagnostics. This serial interface is intended to be protected but lacks adequate authentication enforcement, allowing an attacker to interact with restricted shell commands without proper credential validation.
Affected Products
Three Dahua surveillance device models are affected: NVR2-4KS3 (all versions with build timestamps prior to March 3, 2026), XVR4232AN-I/T (all versions with build timestamps prior to March 3, 2026), and XVR1B16H-I/T (all versions with build timestamps prior to March 3, 2026). These devices are identified via their respective CPE entries (cpe:2.3:a:dahua:nvr2-4ks3:*:*:*:*:*:*:*:*, cpe:2.3:a:dahua:xvr4232an-i/t:*:*:*:*:*:*:*:*, cpe:2.3:a:dahua:xvr1b16h-i/t:*:*:*:*:*:*:*:*). Further details and official vendor guidance are available in the Dahua PSIRT security advisory at https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psirt/security-advisory-%E2%80%93-vulnerability-found-in-dahua-nvr-xvr-device and the EUVD database entry (EUVD-2025-208815).
Remediation
Dahua has released firmware patches addressing this vulnerability; devices should be updated to firmware builds dated March 3, 2026 or later. Organizations should prioritize patching for NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T units according to Dahua's official release schedule available on their PSIRT page. Until patches can be deployed, implement compensating controls by restricting physical access to serial ports on affected devices (use cable locks or restricted server room access), disable serial console ports if not operationally required, and ensure devices are housed in physically secure locations with access logs. Consider reviewing physical security policies for surveillance infrastructure deployments to minimize unauthorized access risk. Refer to the official Dahua security advisory for device-specific patching procedures and to VulDB (https://vuldb.com/?id.351509) for additional technical details on the vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today