Critical Flaws in Dahua Products: CISA Adds to Exploited Vulnerability Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities affecting Dahua IP cameras and related products. The issue was initially discovered in 2021. However, since researchers have recently demonstrated that these bugs are still being actively exploited by malicious actors, they have been added to the catalog of known exploited vulnerabilities.

The vulnerabilities, identified as CVE-2021-33045 and CVE-2021-33044, allow attackers to bypass device authentication. By exploiting these flaws, hackers can create malicious data packets to circumvent the authorization process. Both threats have been assigned a CVSS score of 9.8.

CISA has directed federal agencies to either remediate the vulnerabilities by following the developers’ guidelines or cease using the products entirely by September 11, 2024. According to information on the manufacturer’s website, a software update is already available: it can be installed via the cloud, downloaded from the official website, or obtained through technical support services.

Dahua is a major global manufacturer of surveillance cameras. However, in November 2022, the U.S. Federal Communications Commission restricted the import and sale of Chinese telecommunications and surveillance equipment, stating that products from companies like Huawei, ZTE, Hytera, Hikvision, and Dahua “pose a threat to national security.”