Security researchers have uncovered severe vulnerabilities in popular Dahua surveillance cameras, enabling remote attackers to seize control of devices without authentication. The bugs, now patched, could have granted hackers full root access, highlighting widespread risk in commercial and residential video monitoring systems.
Unseen, Unsecured: Dahua Camera Flaws
In a significant security lapse affecting one of the world’s largest manufacturers of surveillance technology, Romanian cybersecurity firm Bitdefender has disclosed two critical vulnerabilities in the firmware of Dahua smart cameras, warning that millions of globally deployed devices were potentially at risk before recent patches.
The flaws, registered as CVE-2025-31700 and CVE-2025-31701, each scored 8.1 on the CVSS (Common Vulnerability Scoring System) scale, marking them as “high severity.” If exploited, the bugs would allow unauthenticated attackers to remotely execute arbitrary commands, effectively hijacking the camera’s operations.
According to Bitdefender’s report, the vulnerabilities stem from buffer overflow bugs in the ONVIF protocol request handler and RPC file upload functionality, two core components of the camera’s network interface. Exploitation of these flaws could lead to remote code execution (RCE) or denial of service (DoS) without any interaction from the user.
Widespread Exposure: From Casinos to Homes, Millions at Risk
The affected models, including IPC-1XXX, IPC-2XXX, IPC-WX, IPC-ECXX, SD2A, SD3A, SD3D, SDT2A, and SD2C series, are widely deployed in retail outlets, casinos, logistics hubs, corporate campuses, and residential security setups. Dahua, headquartered in China, is one of the most prolific suppliers of video surveillance gear, with global deployment figures estimated in the tens of millions.
Bitdefender cautions that devices exposed to the internet via UPnP or port forwarding are particularly susceptible. The exploit chain allows hackers to bypass firmware integrity checks, enabling the upload of unsigned payloads and installation of persistent backdoors. In such cases, even rebooting or resetting the device may not eliminate the threat.
The researchers stated that attackers can achieve full root-level access to the device, modify its functions, or reroute video feeds without detection. It’s the kind of backdoor that’s invisible to most users and incredibly hard to clean once compromised.
Patch Now or Pay Later: Remediation Steps and Security Implications
Dahua has acknowledged the issues in a public alert issued last week, urging users to check the firmware build timestamp via the web interface under Settings → System Information → Version. Any firmware version built before April 16, 2025, is vulnerable and must be updated immediately.
The company has also noted that some devices may include ASLR (Address Space Layout Randomization) and other modern protection mechanisms, but these are not guaranteed to prevent successful exploitation. In addition, denial-of-service (DoS) attacks remain a concern even where RCE fails. The incident has reignited concerns over IoT security hygiene, especially in the surveillance sector, where privacy, corporate intelligence, and physical security depend on reliable access control.
This case underscores the urgent need for device manufacturers to bake security into firmware development and for users to implement network segmentation and disable unnecessary internet exposure.