CVE-2021-33045

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity...

Basic Information

CVE State: PUBLISHED
Reserved Date: May 17, 2021
Published Date: September 15, 2021
Last Updated: September 05, 2024
Vendor: n/a
Product: Some Dahua IP Camera, Video Intercom, NVR, XVR devices
Description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

10.0

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2024-08-21 00:00:00 UTC) Source
Seen in APT Campaigns: Yes (added 2022-02-01 00:00:00 UTC) (Fancy Bear) Source

References

https://www.dahuasecurity.com/support/cybersecurity/details/957 http://seclists.org/fulldisclosure/2021/Oct/13 http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2024-08-21 00:00:00 UTC

Timeline

CVE ID Reserved

May 17, 2021
CVE Published to Public

September 15, 2021
Used in Fancy Bear APT Campaign

February 01, 2022
Added to KEVIntel

August 21, 2024