Dahua uses cookies and similar technologies on the website. The essential cookies are necessary to operate the website. You can accept or reject non-essential cookies by clicking the “Accept” or “Reject” button. You can change your settings at any time. For details about the cookies, please review our Cookies Statements

psirt_image

Dahua PSIRT

technologies_image

Security Technologies

The Dahua Product Security Incident Response Team (Dahua PSIRT) is responsible for receiving, handling and publicly disclosing the security vulnerabilities related to Dahua products and solutions. It is the only outlet where the company can disclose the vulnerability information of products and solutions. As a member of the international CVE Numbering Authority (CNAs), Dahua PSIRT implements a complete vulnerability management process in compliance with ISO/IEC 30111, ISO/IEC 29147 and follow industry best practices to fix discovered vulnerabilities in a timely manner.

Security Advisories

Security Notices

2023-02-08

DHCC-SA-202302-001:Security Advisory – Unauthorized device timestamp modification vulnerability exists in some Dahua embedded products

CVE-2022-30564

2022-12-20

DHCC-SA-202212-001:Security Advisory – Vulnerabilities found in Dahua software products

CVE-2022-45423 CVE-2022-45424 CVE-2022-45425 CVE-2022-45426 CVE-2022-45427 CVE-2022-45428 CVE-2022-45429 CVE-2022-45430 CVE-2022-45431 CVE-2022-45432 CVE-2022-45433 CVE-2022-45434

2022-06-28

DHCC-SA-202206-001:Security Advisory – Vulnerabilities found in some Dahua products

CVE-2022-30560 CVE-2022-30561 CVE-2022-30562 CVE-2022-30563

2022-01-12

DHCC-SA-202201-001:Security Advisory - Access control vulnerability found in some Dahua products

CVE-2021-33046

2021-12-15

DHCC-SA-202112-001:Security Advisory – Vulnerabilities Found in Apache Log4j Library Affecting Some Dahua Products

CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832

  • 1
  • 2
  • 3
  • 4
  • 5

Report a vulnerability

We encourage users, partners, suppliers, security organizations and independent researchers to actively report to Dahua PSIRT by email any security risks or vulnerabilities related to Dahua products and solutions. Due to the sesitivity of vulnerability information, we recommended to use our PGP public key (Key ID: 0xC6068E4B; PGP Fingerprint: 61769A82F67E062CA46C19A6DEA2F8C6068E4B) and report it to psirt@dahuatech.com. In order to facilitate timely verification and location of vulnerabilities, the content of the email should include the following:

1. Organization/Title and Contact Information
2. Description of potential security risks/vulnerabilities
3. Technical details (e.g. system configuration, positioning method, description/screenshot of exploit, sample captured images, POC, steps to reproduce problems, etc.)
4. Report the product name, model and software/firmware version where the security risks/vulnerabilities are located.
5. Possible vulnerability disclosure plan

secure_trustworthy
secure_trustworthy

How we deal with vulnerabilities

Dahua PSIRT will strictly control the scope of vulnerability information and limit it to the relevant personnel who only deal with vulnerabilities; At the same time, the vulnerability reporter is also required to keep this vulnerability confidential until it is publicly disclosed.

Dahua PSIRT discloses security vulnerabilities in the following two forms:

1. SA (Security Advisory): for the release of information about security vulnerabilities related to Dahua products and solutions, including but not limited to vulnerability descriptions, fixes, etc.
2. SN (Security Notice): for the responses to security topics related to Dahua products and solutions, including but not limited to vulnerabilities and security incidents.

Dahua PSIRT adopts CVSSv3 standards, and gives a Base Score and a Temporal Score for each security vulnerability assessment. Customers can also make their own Environmental Score according to their needs.
For specific CVSSv3 standards, visit this link: https://www.first.org/cvss/specification-document

Our responses to vulnerabilities

Receive

Receive

Receive and collect suspected security vulnerabilities of products

Verify

Verify

Coordinate with relevant teams to conduct vulnerability verification and risk rating

Repair

Repair

Analyze the cause of vulnerability and implement the vulnerability repair

Disclose

Disclose

Actively disclose vulnerability information and release fixed firmware

Improve

Improve

Improve vulnerability scanning capability and transform to product security requirements