Two critical buffer overflow vulnerabilities — CVE-2025-31700 and CVE-2025-31701 — are actively hijacking millions of Dahua CCTV cameras worldwide, requiring zero authentication to execute. Disclosed on 23 July 2025, attackers need only a target IP address to gain root-level access, extract credentials, and embed persistent malware. Nine camera series remain exposed if firmware predates 16 April 2025. Patching immediately, segmenting cameras onto isolated networks, and disabling UPnP are the strongest defences — and there’s considerably more to unpack here.
What Are CVE-2025-31700 and CVE-2025-31701?
Two critical buffer overflow vulnerabilities — CVE-2025-31700 and CVE-2025-31701 — were publicly disclosed on 23 July 2025, exposing a significant attack surface across Dahua’s CCTV product line.
Think of them as two opened doors into the same building — different entry points, same dangerous destination.
CVE-2025-31700 lives inside Dahua’s ONVIF request handler, where attackers send specially crafted packets that trigger a stack-based buffer overflow. It carries a CVSS v3.1 score of 8.1 — firmly High severity — affecting all firmware built before 16 April 2025.
CVE-2025-31700 hides inside the ONVIF handler — one crafted packet, and the stack collapses beneath you.
CVE-2025-31701 targets the RPC file upload handler and has already been observed in real-world remote code execution attempts. That’s not a theoretical risk. That’s active exploitation.
Together, these flaws facilitate device hijacking, service crashes, denial-of-service attacks, and arbitrary command execution. The CVSS v3 vector confirms the attack requires no privileges and no user interaction, making these vulnerabilities particularly dangerous in exposed network environments. Ensuring network security with secure Wi-Fi setup can help mitigate some risks associated with such vulnerabilities.
For the security-conscious community watching Dahua’s ecosystem, these disclosures demand immediate attention — not tomorrow, now. Both vulnerabilities are classified under CWE-120, a weakness defined as buffer copy without checking the size of input.
Which Dahua Cameras Are Actually at Risk?
Knowing which vulnerabilities exist is one thing — knowing which hardware is sitting exposed on your network is another matter entirely.
Nine Dahua smart camera series carry these critical flaws, and the list reads like a cross-section of modern surveillance infrastructure. The Hero C1 Series, IPC-1XXX, IPC-2XXX, IPC-WX, and IPC-ECXX models are all confirmed vulnerable — deployed everywhere from casinos and retail floors to residential driveways and warehouses.
Sound familiar? There’s a decent chance your facility runs at least one. The unifying thread: any firmware built before 16 April 2025 remains exposed. Patches exist, but unpatched devices don’t patch themselves.
The IPC-ECXX series carries perhaps the steepest consequence — successful exploitation grants root-level access, fundamentally handing attackers the keys to the building.
ASLR offers some resistance against full remote code execution on certain models, but denial-of-service attacks remain viable regardless. Regular assessments and timely updates are essential to reduce security vulnerabilities, especially in critical infrastructure. Belonging to the “patched” group matters here. Both vulnerabilities carry CVSS scores of 8.1, reflecting the serious judgment security researchers place on the damage these flaws can inflict across exposed deployments. Attackers exploiting these flaws can do so without any credentials, leveraging unauthenticated remote code execution to compromise devices silently and at scale. Staying informed about security best practices is vital to maintaining ongoing protection against evolving threats.
How Attackers Exploit These Flaws Without a Password
No password required — that is the blunt reality of how these Dahua vulnerabilities operate in practice. Attackers need nothing more than a target IP address.
From there, the database becomes an open door. Usernames and hashed passwords extract directly, and here is the unsettling part — those hashes work for login without cracking them first. Think of it as finding a copied key rather than picking the lock.
CVE-2025-31700 and CVE-2025-31701 push things further. Specially crafted packets trigger buffer overflows in ONVIF protocol handling and file upload mechanisms, requiring zero authentication. Root-level access follows. Persistent daemons can be loaded silently.
The entire chain demands no user interaction whatsoever. Local network access is sufficient, though internet-exposed devices face considerably broader risk pools. This highlights the importance of security best practices in device deployment and network configuration. Securing these devices involves understanding and mitigating vulnerabilities that can be exploited remotely.
Devices running firmware predating 16 April 2025 remain squarely in the crosshairs. ASLR offers partial resistance — but denial-of-service attacks remain viable regardless.
Once inside, attackers can modify configurations and access stored images and recordings, putting the private footage of homes and businesses directly in hostile hands. Research identified over 108,000 vulnerable devices in China alone, signaling the sheer scale of exposure across provinces and beyond.
What Happens When a Dahua Camera Gets Hijacked
Once the keys are handed over, the real damage begins. A hijacked Dahua camera isn’t just a broken security device — it’s an open door into everything connected behind it.
Attackers operating at root level can silently stream live footage, harvest stored recordings spanning months, and flog that material on dark web markets. Retail floors, casino interiors, private residences — all exposed without a single alert triggering.
Root-level access means months of footage silently harvested, packaged, and sold — no alerts, no traces.
But surveillance theft is almost the secondary concern. Compromised cameras become network pivot points, enabling lateral movement towards servers, workstations, and sensitive internal systems. Think of it as gaining one key that quietly duplicates itself across an entire building.
Credential harvesting adds another layer — ONVIF tokens, VPN details, shared passwords — all extractable and replayable. Persistent malware embeds itself at the firmware level, surviving reboots. Logging functions get disabled. The attacker becomes invisible. Additionally, many of these vulnerabilities are exacerbated by outdated security protocols, making exploitation easier for cybercriminals. Microsoft Defender’s Wi-Fi security features could potentially help protect connected devices from such threats by monitoring and alerting users to insecure networks and suspicious activity.
These vulnerabilities are especially alarming given that Dahua is the world’s second-largest CCTV manufacturer, meaning the scale of potential exposure spans countless installations across governments, businesses, and homes worldwide. Compounding the risk, some affected models such as the IPC A35 and 4631 carry non-purgeable firmware, meaning even a factory reset cannot fully eliminate a deeply embedded compromise.
How to Patch and Protect Your Dahua Cameras Now
Dahua has issued firmware patches for its most critically exploited vulnerabilities — and deploying them is the single most effective step any operator can take right now.
Without confirmed patch documentation available, responsible guidance still points toward foundational security hygiene that the broader surveillance community consistently endorses. Change default credentials immediately — factory passwords are fundamentally open invitations.
Segment cameras onto isolated network zones, cutting off lateral movement if one device gets compromised. Disable unnecessary remote access features, particularly UPnP, which quietly punches holes through firewalls like an uninvited houseguest.
Monitor Dahua’s official security advisory portal regularly. Vendors typically release patches quietly, leaving operators uninformed until damage is done. Implementing network segmentation and security best practices can significantly reduce potential damage from breaches. Maintaining awareness of security updates ensures you stay ahead of emerging threats.
The shared reality here? Millions of camera operators face identical exposure. Nobody wants to be the weak link — the unbarred door in an otherwise secured building.
Until verified patch specifics emerge, treat every unverified firmware source as suspect. Trust official channels exclusively. Cameras that survive compromise attempts can sometimes be recovered by accessing port 3800, the upgrade daemon that allows a known working firmware file to be uploaded directly when standard interfaces are no longer reachable.
Physical vulnerabilities matter too — operators of models like the IPC-HDW5831R-ZE should routinely inspect ethernet connectors for water ingress, as damaged connection points can take a camera offline just as effectively as any remote exploit.
Final Thoughts
The Dahua vulnerabilities expose millions of CCTV cameras to critical security risks, with attackers actively exploiting outdated firmware to gain unauthorised access to surveillance systems. Organisations running unpatched Dahua devices are leaving themselves wide open to serious breaches that carry real-world consequences.
Zoo Computer Repairs can help protect your business by assessing your current camera firmware, applying the necessary security patches, and ensuring your surveillance infrastructure is locked down against known exploits. Whether you manage a single site or multiple locations, the team at Zoo Computer Repairs has the expertise for CCTV Camera Installation in the Brisbane Area.
Don’t wait until it’s too late. Visit our Contact Us page today and get in touch with Zoo Computer Repairs to safeguard your CCTV setup now.