Advisory ID：DHCC-SA-202510-001

CVE ID: CVE-2025-31702

Summary

CVE-2025-31702

A vulnerability exists in certain Dahua embedded products. Third-party malicious attacker with obtained normal user credentials could exploit the vulnerability to access certain data which are restricted to admin privileges, such as system-sensitive files through specific HTTP request. This may cause tampering with admin password, leading to privilege escalation. Systems with only admin account are not affected.

Vulnerability Score

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/specification-document).

CVE-2025-31702

Base Score: 6.8(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Temporary Score: 6.1(E:P/RL:O/RC:C)

Affected Products

As of the date of this announcement, the specific list of affected product models can be found at the following link: Affected Models.

Versions which Build time after 1^st July 2025 are not affected by the vulnerability issue.

Note: Please login to the Web interface of the product to check Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).

Fix Software Download

Please download the corresponding fix software or update the latest version of the product from Dahua Official website, or contact Dahua local technical support to upgrade your product.

• Speed Cloud Upgrade：For products with cloud upgrade capability, the related repaired version can be obtained through cloud upgrade.

For products without cloud upgrade capability, please refer to the below two channels.

• Dahua Official website: https://www.dahuasecurity.com/support/downloadCenter.
• Contact Dahua Technical Support Personnel in the country or region where you are located.

Contact of Support

For any questions or concerns related to the cybersecurity of Dahua products and solutions, please contact Dahua PSIRT at psirt@dahuatech.com.

Acknowledgment

Dahua would like to express its sincere gratitude to the ITRES Security Research Team for identifying this vulnerability and for responsibly disclosing it through Dahua PSIRT.

Security Commitment

Cybersecurity is a global challenge affecting all internet-connected devices, regardless of their origin. At Dahua, we are committed to maintaining the highest level of cybersecurity across our products and solutions, prioritising the swift resolution of any reported vulnerabilities. Dahua’s Product Security Incident Response Team (PSIRT) is dedicated to addressing security vulnerabilities promptly, notifying customers of potential risks, and sharing best practices to strengthen cybersecurity awareness.

In response to security issues reported by ITRES Team, Dahua immediately conducted a comprehensive investigation of affected product models and has developed patches and firmware that fix the vulnerabilities.

We strongly suggest, consistent with cybersecurity best practice, that all Dahua customers follow our security advisory, in order to ensure product systems are up-to-date and customers’ rights are fully protected. In the meantime, customers with other concerns on cybersecurity related issues, please feel free to contact us at psirt@dahuatech.com.

Revision History