.png)
.png)
.png)
.png)
DHCC-SA-202606-001: Security Advisory – Vulnerabilities found in some Dahua products
2026-06-10
Advisory ID:DHCC-SA-202606-001
CVE ID:
CVE-2026-29114
CVE-2026-29115
CVE-2026-29116
Summary
CVE-2026-29114
A vulnerability has been found in some Dahua products. An attacker may obtain the device’s CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients and undermine the certificate trust chain.
CVE-2026-29115
A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.
CVE-2026-29116
A vulnerability has been found in some Dahua products could allow an unauthenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.
Vulnerability Score
The vulnerability classification has been performed by using the CVSSv4.0 scoring system (http://www.first.org/cvss/specification-document).
CVE-2026-29114
Base Score: 2.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)
CVE-2026-29115
Base Score: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
CVE-2026-29116
Base Score: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Affected Products
|
CVE ID |
Main Affected Models |
Affected Version |
|
CVE-2026-29114 |
|
Versions which Build time prior to 15th April 2026 (not including 15th April 2026) |
|
CVE-2026-29115 |
|
Versions which Build time prior to 26th March 2026 (not including 26th March 2026) |
|
CVE-2026-29116 |
|
Versions which Build time prior to 26th March 2026 (not including 26th March 2026) |
As of the date of this announcement, the specific list of affected product models can be found at the following link: Affected Models
Note: Please login to the Web interface of the product to check build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).
Fix Software Download
Please download the corresponding fix software or update the latest version of the product from Dahua Official website, or contact Dahua local technical support for assistance with upgrading your product.
- Cloud Upgrade:For products with cloud upgrade capabilities, the related repaired version can be obtained through cloud upgrade.
- Dahua Official website: https://www.dahuasecurity.com/download-center.
- Contact Dahua Technical Support Personnel in the country or region where you are located.
For products without cloud upgrade capability, please refer to the below two channels.
Contact of Support
For any questions or concerns related to the cybersecurity of Dahua products and solutions, please contact Dahua PSIRT at psirt@dahuatech.com.
Acknowledgment
Dahua would like to express its sincere gratitude to the following security researchers for discovering these vulnerabilities and coordinating disclosure with the Dahua PSIRT.
- CVE-2026-29114: Discovered by security researcher Rahul Ram.
- CVE-2026-29115 and CVE-2026-29116: Discovered by Thomas Weber from CyberDanube.
Security Commitment
Cybersecurity is a global challenge affecting all internet-connected devices, regardless of their origin. At Dahua, we are committed to maintaining the highest level of cybersecurity across our products and solutions, prioritising the swift resolution of any reported vulnerabilities. Dahua’s Product Security Incident Response Team (PSIRT) is dedicated to addressing security vulnerabilities promptly, notifying customers of potential risks, and sharing best practices to strengthen cybersecurity awareness.
In response to security issues reported by the security researchers, Dahua immediately conducted a comprehensive investigation of affected product models and are actively developing enhanced security measures to address the reported vulnerability.
In line with cybersecurity best practices, we strongly recommend that all Dahua customers follow our security advisory to ensure product systems are up-to-date and customers’ rights are fully protected. In the meantime, if customers have additional concerns on cybersecurity-related issues, please feel free to contact us at psirt@dahuatech.com.
Revision History
|
Version |
Description |
Date |
|
V1.0 |
Initial public release |
10th June 2026 |
