Endpoint Security
,
Internet of Things Security
Unauthenticated Bugs Allow Full Remote Code Execution
Unauthenticated attackers could remotely hijack Dahua Hero C1 smart cameras by exploiting firmware vulnerabilities, Bitdefender warned in a coordinated disclosure published Wednesday.
See Also: Cracking the Code: Securing Machine Identities
Bitdefender said one flaw resides in the how the firmware handles ONVIF protocol messages. The protocol once stood for “Open Network Video Interface Forum” and is an industry standard for transmitting commands between software and networked security products such as cameras. The other flaw is an undocumented file upload endpoint.
“Successful exploitation provides root-level access to the camera with no user interaction,” Bitdefender said. “Because the exploit path bypasses firmware integrity checks, attackers can load unsigned payloads or persist via custom daemons, making cleanup difficult.”
Dahua Technoloy released patches on July 7 and published and advisory on July 23. The Dahua Hero C1 smart camera is designed for by small business owners. The partially Chinese government-owned corporation reported roughly $4.5 billion in revenue during 2024 but is on a number of U.S. blacklists.
The first vulnerability, tracked as CVE‑2025‑31700, is a stack-based buffer overflow triggered by a malformed HTTP header. According to Bitdefender, an attacker can write an arbitrary number of bytes to the stack, “as long as the payload does not contain a ] character or a null byte.” This allows for a complete overwrite of CPU registers, processors that hold data and instructions during processing, and execution redirection. Bitdefender’s proof-of-concept uses this flaw to drop an executable and linkable format payload and “spawn a bind shell on port 4444 using LD_PRELOAD, bypassing binary signature checks.”
The second flaw, CVE‑2025‑31701, resides in the camera’s handler for an undocumented endpoint. It allows an attacker to overflow a .bss section buffer using the command sequence header field that appears in session initiation protocol messages. The camera copies the header directly into the buffer due to a flawed implementation of a C programming language function that copies strings.
The Department of Commerce added Dahua in 2019 to its list of companies for which there exists a presumption of denial for U.S. companies seeking permission sell technology to foreign companies. The federal government cited Dahua’s role in campaign of repression perpetuated by Beijing against members of predominately Muslim Uighur and Kazakh ethnicities in the Chinese northwest Xinjiang region.
The Federal Communications Commission in November 2022 finalized a ban on future authorizations of Dahua equipment.
The Canadian, British and Australian governments have also pressured Chinese surveillance device makers in their respective countries.
Dahua is no stranger to flaws – not even to flaws based on its handling of ONVIF messages. Nozomi Networks in 2022 identified a flaw tracked as CVE-2022-30563 stemming from how some Dahua cameras implemented the specification’s handling of login information. The U.S. Cybersecurity and Infrastructure Agency in August 2024 added two Dahua vulnerabilities first identified in 2021 to its list of known exploited vulnerabilities.
Bitdefender recommended users “avoid exposing the Dahua camera web interface of vulnerable models to the internet” and to disable Universal Plug and Play networking and port forwarding. Devices with UPnP – which sends out multicast messages on a local network to discover other devices “are especially at risk.” The cybersecurity firm also advised isolating the camera on its own virtual local area network.