57
CVEs
14
Critical
23
High
2
KEV
13
PoC
26
Unpatched C/H
36.8%
Patch Rate
9.6%
Avg EPSS
Severity Breakdown
CRITICAL
14
HIGH
23
MEDIUM
15
LOW
5
Monthly CVE Trend
Affected Products (30)
Dhi Dss7016D S2 Firmware
12
Dhi Dss7016Dr S2 Firmware
12
Dss Professional
12
Dhi Dss4004 S2 Firmware
12
Dss Express
12
Nvr4832 4Ks2 I Firmware
7
Nvr4108Hs 8P 4Ks2 L Firmware
7
Nvr4816 16P 4Ks2 I Firmware
7
Nvr4108 8P 4Ks3 Firmware
7
Nvr4204 P 4Ks3 Firmware
7
Nvr4204 4Ks3 Firmware
7
Nvr4108Hs P 4Ks3 Firmware
7
Nvr4108 4Ks3 Firmware
7
Nvr4108Hs 4Ks2 L Firmware
7
Nvr4104Hs 4Ks2 L Firmware
7
Nvr4116Hs 8P 4Ks3 Firmware
7
Nvr4104Hs P 4Ks2 L Firmware
7
Nvr4232 4Ks3 Firmware
7
Nvr4208 4Ks3 Firmware
7
Nvr4204 P 4Ks2 L Firmware
7
Nvr4116 8P 4Ks3 Firmware
7
Nvr4108 P 4Ks2 L Firmware
7
Nvr4116Hs 4Ks2 L Firmware
7
Nvr4416 16P 4Ks2 I Firmware
7
Nvr4104Hs 4Ks3 Firmware
7
Nvr4216 4Ks2 L Firmware
7
Nvr4108 4Ks2 L Firmware
7
Nvr4104Hs P 4Ks3 Firmware
7
Nvr4232 4Ks2 L Firmware
7
Nvr4108Hs 4Ks3 960G Firmware
7
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2017-7925 | A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.4%. | CRITICAL | 9.8 | 80.4% | 149 |
PoC
|
| CVE-2013-6117 | Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 89.7%. | HIGH | 7.5 | 89.7% | 147 |
PoC
No patch
|
| CVE-2013-3612 | Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote attackers to obtain administrative access via. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.1%. | CRITICAL | 10.0 | 12.1% | 82 |
PoC
No patch
|
| CVE-2013-3614 | Dahua DVR appliances have a small value for the maximum password length, which makes it easier for remote attackers to obtain access via a brute-force attack. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 10.8%. | CRITICAL | 9.3 | 10.8% | 77 |
PoC
No patch
|
| CVE-2013-3613 | Dahua DVR appliances do not properly restrict UPnP requests, which makes it easier for remote attackers to obtain access via vectors involving a replay attack against the TELNET port. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.0%. | HIGH | 7.8 | 12.0% | 71 |
PoC
No patch
|
| CVE-2021-33044 | The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 99.9% | 69 |
KEV
PoC
No patch
|
| CVE-2021-33045 | The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 99.6% | 69 |
KEV
PoC
No patch
|
| CVE-2023-3836 | A vulnerability classified as critical was found in Dahua Smart Park Management up to 20230713. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 73.5% | 69 |
PoC
No patch
|
| CVE-2013-3615 | Dahua DVR appliances use a password-hash algorithm with a short hash length, which makes it easier for context-dependent attackers to discover cleartext passwords via a brute-force attack. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.8 | 8.6% | 68 |
PoC
No patch
|
| CVE-2017-7253 | Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 8.8 | 0.8% | 65 |
PoC
No patch
|
| CVE-2017-7927 | A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX,. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | HIGH | 7.3 | 1.7% | 58 |
PoC
|
| CVE-2019-3948 | The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.5 | 26.7% | 58 |
PoC
No patch
|
| CVE-2013-5754 | The authorization implementation on Dahua DVR appliances accepts a hash string representing the current date for the role of a master password, which makes it easier for remote attackers to obtain. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | CRITICAL | 10.0 | 1.6% | 52 |
No patch
|
| CVE-2023-7309 | A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 10.0 | 1.2% | 51 |
No patch
|
| CVE-2017-9315 | Customer of Dahua IP camera or IP PTZ could submit relevant device information to receive a time limited temporary password from Dahua authorized dealer to reset the admin password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.4% | 49 |
No patch
|