Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A vulnerability has been found in some Dahua products. An attacker may obtain the device’s CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients and undermine the certificate trust chain.
AnalysisAI
CA root certificate exposure in Dahua IPC devices allows unauthenticated network-based attackers, under specific prerequisite conditions, to retrieve the device's internal CA root certificate. If the obtained certificate is installed and trusted on client systems, the attacker could leverage it to issue fraudulent certificates recognized as valid by those clients, collapsing the integrity of affected certificate trust chains. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the CVSS 4.0 score of 2.3 reflects the multi-step, user-dependent nature of the full attack chain.
Technical ContextAI
CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory) identifies the root cause: sensitive PKI material - specifically the CA root certificate, and potentially associated private key material - is stored or served via an endpoint reachable over the network. The affected product class is Dahua IPC (IP Camera) devices, identified by CPE cpe:2.3:a:dahua:ipc:*:*:*:*:*:*:*:*. Dahua IPC devices operate internal PKIs to sign device communications, and the flaw allows external parties to retrieve this trust anchor. The downstream risk stems from the way operating systems and browsers extend implicit trust to installed CA certificates: once a CA is trusted, all certificates it signs are accepted without further validation, enabling man-in-the-middle scenarios or service impersonation against affected clients.
RemediationAI
Update affected Dahua IPC devices to firmware with a build date of April 15, 2026 or later, per vendor advisory DHCC-SA-202606-001 (https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psirt/dhcc-sa-202606-001). An exact patched firmware version string was not independently confirmed in available data; contact Dahua support to identify the specific update package for each device model. As compensating controls where patching is not immediately feasible: restrict network access to Dahua IPC management interfaces using firewall rules or VLAN segmentation to prevent unauthorized certificate retrieval; audit client systems in the environment for any previously installed Dahua-issued CA certificates and revoke trust if the installation was not explicitly authorized; and enforce certificate pinning on applications communicating with Dahua devices where technically feasible. Note that VLAN segmentation limits device management reach but does not remediate the underlying vulnerability and should be treated as a temporary measure only.
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX,
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive informatio
Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which
Dahua DVR appliances have a small value for the maximum password length, which makes it easier for remote attackers to o
Dahua DVR appliances do not properly restrict UPnP requests, which makes it easier for remote attackers to obtain access
A vulnerability classified as critical was found in Dahua Smart Park Management up to 20230713. Rated critical severity
The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical s
The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical s
Dahua DVR appliances use a password-hash algorithm with a short hash length, which makes it easier for context-dependent
Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Rated high severity (CVSS 8.8), this vulnerabi
A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC
The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35984
GHSA-9359-w3rx-353r