CVE-2025-34059
Dahua Smart Cloud Gateway Registration Management Platform SQL Injection
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- April 15, 2025
- Published Date
- July 01, 2025
- Last Updated
- November 20, 2025
- Vendor
- Zhejiang Dahua Technology Co., Ltd.
- Product
- Smart Cloud Gateway Registration Management Platform
- Description
- An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
CVSS Scores
CVSS v4.0
8.7 - HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC Information
- Exploitation
- none
- Technical Impact
- partial
Exploit Status
- Exploited in the Wild
- Yes (2026-01-29 00:00:00 UTC) Source
References
https://www.cnvd.org.cn/flaw/show/CNVD-2024-38747
https://www.cnblogs.com/LeouMaster/p/18509644
https://www.dahuatech.com/
https://pentest-tools.com/vulnerabilities-exploits/zhejiang-dahua-smart-cloud-gateway-registration-platform-sql-injection-cnvd-2024-38747_23762
https://vulncheck.com/advisories/dahua-smart-cloud-gateway-sql-injection
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-01-29 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel