.png)
.png)
.png)
.png)
Security Advisory – Vulnerability found in Dahua NVR/XVR device
Advisory ID:DHCC-SA-202603-001
CVE ID: CVE-2025-31703
Summary
CVE-2025-31703
A vulnerability found in Dahua NVR/XVR device. A third-party malicious attacker with physical access to the device may gain access to a restricted shell via the serial port, and bypasses the shell's authentication mechanism to escalate privileges.
Vulnerability Score
The vulnerability classification has been performed by using the CVSSv4.0 scoring system (http://www.first.org/cvss/specification-document).
CVE-2025-31703
Base Score: 2.4(CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Affected Products
|
CVE ID |
Main Affected Models |
Affected Version |
Fix Software |
|
CVE-2025-31703 |
NVR2-4KS3 |
Versions which Build time prior to 3rd March 2026 (not including 3rd March 2026) |
DH_NVR2X-4KS3_MultiLang_V4.005.0000000.6.R.260304.zip |
|
XVR4232AN-I/T XVR1B16H-I/T |
DH_XVR4x32-IT_MultiLang_V4.004.0000001.1.R.260304.zip |
Versions with a build time after 3rd March 2026 are not affected by this vulnerability.
Note: Please login to the Web interface of the product to check build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).
Fix Software Download
We recommend that users to regularly check our website for updates and ensure devices are running the latest software versions. Please download and install the latest software from the Dahua Official website, or contact Dahua local technical support for assistance with upgrading your product.
- Cloud Upgrade:For products with cloud upgrade capabilities, the related repaired version can be obtained through cloud upgrade.
For products without cloud upgrade capability, please refer to the below two channels.
- Dahua Official website: https://www.dahuasecurity.com/download-center
- Contact Dahua Technical Support Personnel in the country or region where you are located.
Contact of Support
For any questions or concerns related to the cybersecurity of Dahua products and solutions, please contact Dahua PSIRT at psirt@dahuatech.com.
Acknowledgment
Dahua would like to express its sincere gratitude to the Tarlogic Security Research Team for identifying this vulnerability.
Security Commitment
Cybersecurity is a global challenge affecting all internet-connected devices, regardless of their origin. At Dahua, we are committed to maintaining the highest level of cybersecurity across our products and solutions, prioritising the swift resolution of any reported vulnerabilities. Dahua’s Product Security Incident Response Team (PSIRT) is dedicated to addressing security vulnerabilities promptly, notifying customers of potential risks, and sharing best practices to strengthen cybersecurity awareness.
In response to security issues reported by the Tarlogic Team, Dahua immediately conducted a comprehensive investigation of affected product models and are actively developing enhanced security measures to address the reported vulnerability.
In line with cybersecurity best practices, we strongly recommend that all Dahua customers follow our security advisory to ensure product systems are up-to-date and customers’ rights are fully protected. In the meantime, if customers have additional concerns on cybersecurity-related issues, please feel free to contact us at psirt@dahuatech.com.
Revision History
|
Version |
Description |
Date |
|
V1.0 |
Initial public release |
18th March 2026 |
