Full Report
Researchers at Bitdefender have identified critical security vulnerabilities in the firmware of the Dahua Hero C1 (DH-H4C) smart camera series. The flaws, affecting the device's ONVIF protocol and file upload handlers, allow unauthenticated attackers to execute arbitrary commands remotely, effectively taking over the device. The vulnerabilities were reported to Dahua for responsible mitigation and disclosure and are now patched at the time of publication. Affected Devices The issues were ver
Analysis Summary
# Vulnerability: Critical RCE in Dahua Hero C1 Cameras via ONVIF and RPC Handlers
## CVE Details
- CVE ID: CVE-2025-31700, CVE-2025-31701
- CVSS Score: Not explicitly provided, but described as critical leading to full RCE.
- CWE: CWE-121 (Stack-based Buffer Overflow - for CVE-2025-31700), CWE-122 (Heap-based Buffer Overflow or similar flaw leading to control flow hijacking through global overwrite for CVE-2025-31701)
## Affected Systems
- Products: Dahua Hero C1 (DH-H4C) Smart Camera series. Also affects other models referenced following internal audit: IPC-1XXX Series, IPC-2XXX Series, IPC-WX Series, IPC-ECXX Series, SD3A Series, SD2A Series, SD3D Series, SDT2A Series, SD2C Series.
- Versions:
- Verified vulnerable: Firmware version **V2.810.9992002.0.R (Build Date: 2024-01-23)**, ONVIF version **21.06**, Web UI version **V3.2.1.1452137**.
- Other affected versions: Versions older than **2025/04/16** for the listed replacement series.
- Configurations: Vulnerabilities are exploitable remotely and do not require authentication (unauthenticated access).
## Vulnerability Description
The report details two distinct critical vulnerabilities allowing unauthenticated Remote Code Execution (RCE):
1. **CVE-2025-31700 (ONVIF Stack Overflow):** The ONVIF protocol handler (port 80) incorrectly parses the `Host` header. A flawed `strncpy` implementation leads to an unbounded copy onto the stack if the header contains a `]` character not followed by a `:`. This allows an attacker to overflow the stack buffer, hijack execution flow, and overwrite CPU registers.
2. **CVE-2025-31701 (.BSS Segment Overflow):** A flaw in the handler for the undocumented endpoint `POST /RPC2_UploadFileWithName/*`. The firmware uses flawed `strncpy` to copy the `Cseq` HTTP header directly into a buffer in the `.bss` memory section. This allows overwriting adjacent global variables, specifically a structure containing pointers to session management functions, redirecting execution via function pointers to `system()`.
## Exploitation
- Status: **PoC available**. Researchers developed Proof-of-Concepts demonstrators for both flaws.
- Complexity: Low (due to unauthenticated nature and direct RCE achieved).
- Attack Vector: **Network**. Exploitation occurs remotely over the network interface.
## Impact
- Confidentiality: High (Full code execution allows complete device compromise).
- Integrity: High (Full code execution allows modification of system state and installed firmware).
- Availability: High (Full code execution allows for denial of service or device tampering).
## Remediation
### Patches
- Dahua released patches confirmed prior to the public disclosure on July 30, 2025.
- Users are advised to update affected devices to firmware versions released on or after **2025/04/16** (for the listed secondary affected series) or consult the vendor advisory for specific DH-H4C patches.
### Workarounds
- No specific workarounds were detailed in the provided summary, but given the network-based nature, network segmentation or blocking external access to the camera management interfaces (like port 80) would serve as a temporary mitigation.
## Detection
- **Indicators of Compromise (IoCs):** Successful exploitation leads to arbitrary command execution, potentially manifesting as network connections initiated by the camera (e.g., the PoC dropping an ELF payload via tftp and spawning a bind shell on port 4444).
- **Detection Methods and Tools:** Network monitoring tools capable of inspecting HTTP requests to port 80 (for ONVIF traffic) to identify abnormally long or crafted `Host` headers, or anomalous POST requests to `/RPC2_UploadFileWithName/*`.
## References
- Vendor advisories: Dahua Security Advisory (Referenced implicitly via coordinated disclosure timeline).
- Relevant links:
- bitdefender dot com/en-us/blog/labs/vulnerabilities-identified-in-dahua-hero-c1-smart-cameras (Main article link)
- cve dot org/CVERecord?id=CVE-2025-31700
- cve dot org/CVERecord?id=CVE-2025-31701