Share
## https://sploitus.com/exploit?id=051FFBEE-24F6-52B4-845D-14694CF4C46B
# CVE-2026-29115 โ€” Dahua Authenticated Remote Denial of Service

[![CVSS 4.0](https://img.shields.io/badge/CVSS_4.0-6.9_MEDIUM-yellow?style=flat-square)](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
[![Remotely Exploitable](https://img.shields.io/badge/Remotely_Exploitable-Yes-orange?style=flat-square)](#attack-prerequisites)
[![Authentication](https://img.shields.io/badge/Authentication-Required-orange?style=flat-square)](#attack-prerequisites)

> **Advisory type:** Vendor-coordinated security disclosure  
> **CVE ID:** [CVE-2026-29115](https://vulners.com/cve/CVE-2026-29115)  
> **Vendor:** Dahua Technology  
> **Published:** 2026-06-10T06:08:21 UTC  
> **Last Modified:** 2026-06-10T06:08:21 UTC  
> **Source:** [Dahua Product Security Incident (PSI) Trust Center](https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi)

---

## Table of Contents

- [Executive Summary](#executive-summary)
- [At a Glance](#at-a-glance)
- [Relationship to CVE-2026-29116](#relationship-to-cve-2026-29116)
- [Vulnerability Timeline](#vulnerability-timeline)
- [Description](#description)
- [Technical Analysis](#technical-analysis)
- [Affected Products](#affected-products)
- [CVSS Scoring](#cvss-scoring)
- [Vulnerability Scoring Details](#vulnerability-scoring-details)
- [CWE Classification](#cwe-classification)
- [Attack Prerequisites](#attack-prerequisites)
- [Exploitation Scenarios](#exploitation-scenarios)
- [Impact Assessment](#impact-assessment)
- [Detection and Indicators of Compromise](#detection-and-indicators-of-compromise)
- [Mitigation and Remediation](#mitigation-and-remediation)
- [Workarounds](#workarounds)
- [Vendor Response](#vendor-response)
- [References](#references)
- [Disclaimer](#disclaimer)
- [Document Revision History](#document-revision-history)

---

## Executive Summary

A **medium-severity, authenticated remote denial-of-service vulnerability** has been identified in select Dahua **IPC (IP camera)** and **SD (speed dome / PTZ)** products. An attacker who already possesses **valid device credentials** can send a **specially crafted network packet** to a vulnerable unit. Processing that packet triggers an **unhandled exception** (consistent with a reachable assertion or fatal error path), causing the device to **reboot unexpectedly**.

Unlike its sibling disclosure [CVE-2026-29116](../CVE-2026-29116/README.md), which requires **no authentication**, this flaw demands **high privileges** (`PR:H`) on the target device. That constraint reduces practical exploitability for opportunistic internet-wide attackers, but the risk remains material in environments where camera credentials are shared, default, leaked, or recoverable โ€” a common condition in legacy CCTV deployments.

The vulnerability does **not** demonstrate direct confidentiality or integrity impact in the published CVSS vector. Availability impact is rated **High**, producing a **CVSS 4.0 base score of 6.9 (MEDIUM)**.

Organizations operating affected Dahua IPC or SD hardware with firmware builds **prior to March 26, 2026** should patch, rotate credentials, and restrict management-plane access.

> **Note on advisory labeling:** Some indexes title this CVE **"Dahua Buffer Overflow."** The vendor description, CVSS metrics (`VA:H` only), and **CWE-617 (Reachable Assertion)** classification describe a **crash/reboot denial-of-service** after authenticated packet delivery โ€” not a scored memory-corruption confidentiality/integrity breach. This document follows the vendor description and scoring data. Buffer handling may still be part of the underlying defect, but the **published impact is availability-only**.

---

## At a Glance

| Field | Value |
|---|---|
| **CVE ID** | CVE-2026-29115 |
| **Vendor** | Dahua Technology |
| **Vulnerability Type** | Denial of Service (unexpected reboot) |
| **Attack Vector** | Network |
| **Authentication Required** | **Yes** (high privileges) |
| **User Interaction Required** | No |
| **Privileges Required** | **High** |
| **CVSS Version** | 4.0 |
| **CVSS Base Score** | **6.9 โ€” MEDIUM** |
| **CVSS Vector** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` |
| **CWE** | CWE-617 (Reachable Assertion) |
| **Remotely Exploitable** | Yes |
| **Published Date** | 2026-06-10 |
| **Fix Availability** | Firmware builds from **March 26, 2026** onward (per vendor guidance) |

---

## Relationship to CVE-2026-29116

Both CVEs were published on **2026-06-10** from the same Dahua PSI disclosure batch. They share structural similarities but differ in scope and attacker model.

| Attribute | CVE-2026-29115 (this advisory) | [CVE-2026-29116](../CVE-2026-29116/README.md) |
|---|---|---|
| **CVSS 4.0 Score** | **6.9 โ€” MEDIUM** | **8.7 โ€” HIGH** |
| **Privileges Required** | **High (`PR:H`)** | **None (`PR:N`)** |
| **Affected Families** | **IPC, SD** | IPC, SD, NVR, XVR, EVS, VTO, VTH, ASI, TPC |
| **Published (UTC)** | 2026-06-10T06:08:21 | 2026-06-10T06:16:34 |
| **Observed Outcome** | Unexpected reboot (DoS) | Unexpected reboot (DoS) |
| **CWE** | CWE-617 | CWE-617 |
| **Index Title** | Buffer Overflow | Cross-Site Scripting (mislabeled) |

**Defender takeaway:** Patch both issues on overlapping IPC/SD estates. Prioritize **29116** for internet-exposed devices (unauthenticated). Prioritize **29115** where **operator or integrator credentials** are widely known, stored in VMS databases, or embedded in mobile apps.

---

## Vulnerability Timeline

| Date | Event |
|---|---|
| **โ‰ค 2026-03-26** | Vulnerable IPC/SD firmware builds in active distribution |
| **2026-03-26** | Vendor fix cutoff โ€” builds produced on or after this date are outside the affected range (per advisory) |
| **2026-06-10T06:08:21 UTC** | CVE-2026-29115 published |
| **2026-06-10T06:08:21 UTC** | NVD record last modified |
| **2026-06-10T06:16:34 UTC** | Related CVE-2026-29116 published (unauthenticated variant) |
| **Ongoing** | Operators should inventory IPC/SD fleets, patch, and harden credentials |

---

## Description

Dahua has reported a security vulnerability affecting **certain models** within its **IPC** and **SD** product lines. The flaw exists in network-accessible software that accepts authenticated sessions and processes attacker-influenced protocol data without sufficient validation or safe failure handling.

**Observed behavior:**

1. An **authenticated remote attacker** with **high privileges** on the device transmits a **specially crafted packet** over the network.
2. The device's handler processes the packet and enters an **exceptional code path** โ€” for example, a failed assertion, unhandled fault, or unrecoverable internal error consistent with **CWE-617 (Reachable Assertion)**.
3. The exception causes the **system to reboot unexpectedly**.
4. The camera or speed dome remains unavailable until the reboot completes. Repeated exploitation can cause **sustained denial of service**.

**What this vulnerability is not (per CVSS metrics):**

- It does **not** require victim user interaction such as opening a malicious link (`UI:N`).
- It does **not** demonstrate direct **confidentiality** impact (`VC:N`).
- It does **not** demonstrate direct **integrity** impact (`VI:N`).
- It does **not** show subsequent-system impact (`SC:N`, `SI:N`, `SA:N`).

**What distinguishes it from unauthenticated variants:**

- The attacker **must already hold credentials** sufficient to satisfy the device's **high privilege** threshold (`PR:H`). In practice this often maps to administrative or equivalent device-level accounts rather than read-only monitoring users โ€” exact role mapping is product-specific and should be confirmed against vendor documentation.

---

## Technical Analysis

### Root Cause (Inferred)

Public vendor text does not disclose the vulnerable function, service name, or exact buffer dimensions. Based on the published CWE, title, and behavior, plausible root-cause categories include:

| Category | Explanation |
|---|---|
| **Reachable assertion on bad input** | Authenticated code path validates insufficiently and hits `assert()` or equivalent on malformed lengths or fields. |
| **Buffer mishandling leading to fatal abort** | Oversized or malformed payload exceeds an internal buffer; defensive check fails fatally instead of returning an error. |
| **State machine corruption** | Crafted packet drives parser into illegal state; integrity check triggers process termination. |

The **published outcome** is **reboot-level availability loss**, not proven remote code execution or data exfiltration in the CVSS record.

### Why "Buffer Overflow" May Appear in Titles

CVE titles are not always precise. A buffer overflow class defect can manifest as:

- Immediate crash (availability impact only)
- Controlled memory corruption (potential RCE โ€” **not scored** in this CVE record)

Here, vendor scoring limits impact to **availability**, suggesting either non-exploitable corruption, abort-before-exploitation, or vendor assessment that practical integrity/confidentiality outcomes are not achieved.

### Attack Surface (Authenticated Plane)

Because exploitation requires **high privileges**, the relevant surface is typically the **management and configuration API** available after login, not anonymous discovery endpoints. Depending on model and firmware, that may include:

- Authenticated HTTP/HTTPS configuration APIs
- Device maintenance and upgrade interfaces
- PTZ / lens control channels on SD products
- Proprietary configuration tunnels reachable post-authentication
- SDK-integrated management sessions used by VMS platforms

Attackers with credentials harvested from VMS databases, installer laptops, or default `admin` accounts can reach these planes from anywhere the management port is exposed.

### IPC vs. SD Operational Differences

| Product | Typical Deployment | DoS Impact Nuance |
|---|---|---|
| **IPC** | Fixed cameras, door-eye, small business | Single-sensor outage; may break one coverage zone |
| **SD** | PTZ domes, perimeter tracking | Loss of active tracking; preset patrol interruption; larger mechanical subsystem reset latency |

SD reboots may take longer to return to calibrated PTZ state, extending effective downtime beyond raw boot time.

---

## Affected Products

### Vendor Summary

| # | Vendor | Product Families | Version / Build Guidance |
|---|---|---|---|
| 1 | **Dahua** | **IPC / SD** | **Affected:** firmware builds **before March 26, 2026** (limited to certain models within each family) |

**Totals:** 1 affected vendor ยท 1 affected product grouping (IPC + SD)

### Product Family Reference

| Family | Typical Role | Example Operational Impact |
|---|---|---|
| **IPC** | Fixed IP cameras | Live view loss, recording gaps, analytics dropout |
| **SD** | Speed domes / PTZ cameras | Tracking failure, patrol interruption, preset loss until recalibration |

### Out-of-Scope Families (This CVE)

The following Dahua lines are **not listed** for CVE-2026-29115 (though they may be affected by other CVEs such as [CVE-2026-29116](../CVE-2026-29116/README.md)):

- NVR, XVR, EVS (recorders / storage)
- VTO, VTH (video intercom)
- ASI (access / security interfaces)
- TPC (thermal / specialty)

### Model Scope Caveat

Only **certain models** within IPC and SD are affected. Operators must verify:

1. Exact model number
2. Firmware **build date** (fixed builds: **on or after 2026-03-26**)
3. Official Dahua PSI model matrix

---

## CVSS Scoring

### Summary

| Score | Version | Severity | Vector |
|---|---|---|---|
| **6.9** | **4.0** | **MEDIUM** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` |

### CVSS 4.0 Metric Breakdown

| Metric | Value | Meaning for this CVE |
|---|---|---|
| **AV (Attack Vector)** | Network (`N`) | Exploitation over network; remote attackers qualify when management services are reachable |
| **AC (Attack Complexity)** | Low (`L`) | No special race conditions or environmental constraints indicated |
| **AT (Attack Requirements)** | None (`N`) | No additional deployment quirks beyond auth + reachability |
| **PR (Privileges Required)** | **High (`H`)** | Attacker must hold high-privilege device credentials |
| **UI (User Interaction)** | None (`N`) | No end-user click or browser action required |
| **VC (Vuln System Confidentiality)** | None (`N`) | No direct confidentiality loss scored |
| **VI (Vuln System Integrity)** | None (`N`) | No direct integrity loss scored |
| **VA (Vuln System Availability)** | High (`H`) | Reboot-class outage |
| **SC / SI / SA** | None | No subsequent-system impacts scored |

### Why PR:H Lowers the Score vs. CVE-2026-29116

`PR:H` is the primary score differentiator versus the unauthenticated sibling:

| Factor | Effect |
|---|---|
| Credential acquisition barrier | Opportunistic WAN scanners cannot exploit without secrets |
| Insider / post-breach threat | Still serious when VMS, installers, or defaults provide admin access |
| Lateral movement | Compromised workstation with stored camera passwords becomes exploitation launch point |

**6.9 MEDIUM** should not be read as "low priority everywhere." In credential-weak CCTV environments, authenticated camera attacks are **routine**.

---

## Vulnerability Scoring Details

Visual summary of the published CVSS 4.0 selector positions:

### Exploit Characteristics

```
Attack Vector:          [Network]  Adjacent  Local  Physical
Attack Complexity:      [Low]      High
Attack Requirements:    [None]     Present
Privileges Required:      None     Low      [High]
User Interaction:       [None]     Passive  Active
```

### Impact on Vulnerable System

```
Vuln Confidentiality:   [None]     Low      High
Vuln Integrity:         [None]     Low      High
Vuln Availability:      [High]     Low      None
```

### Subsequent System Impact

```
Subseq Confidentiality: [None]     Low      High
Subseq Integrity:       [None]     Low      High
Subseq Availability:    [None]     Low      High
```

---

## CWE Classification

| # | CWE ID | Name | Relevance |
|---|---|---|---|
| 1 | **CWE-617** | [Reachable Assertion](https://cwe.mitre.org/data/definitions/617.html) | Untrusted input reaches a fatal assertion or abort path in privileged code |

### CWE-617 in Authenticated Contexts

Authenticated vulnerabilities are often dismissed as "only insiders." In surveillance networks:

- Integrator accounts are shared across customer sites
- VMS servers store device passwords centrally
- Default credentials survive for years on isolated VLANs
- Former employees retain admin access absent rotation

A reachable assertion behind the **authenticated management plane** is therefore still a **material risk**, especially paired with credential reuse.

### Buffer Overflow vs. CWE-617

If the underlying defect involves memory corruption, CWE-617 may reflect the **observable production behavior** (fatal abort) rather than the full weakness taxonomy. Defenders should patch regardless of index naming.

---

## Attack Prerequisites

| Prerequisite | Required? | Notes |
|---|---|---|
| **High-privilege device credentials** | **Yes** | `PR:H` โ€” admin-class access (product-specific) |
| Victim user interaction | No | No phishing or browser action needed |
| Network reachability | Yes | Management or authenticated service port reachable |
| Prior compromise of another system | Helpful, not mandatory | Stolen creds from VMS qualifies |
| Internet exposure | Not required | Increases remote exploit feasibility |
| Knowledge of target model | Helpful | Crafted packet may be model/firmware specific |

**Remotely Exploitable:** **Yes** (once credentials and network path exist)

---

## Exploitation Scenarios

### Scenario 1 โ€” Disgruntled Insider

A technician with admin credentials for all site cameras sends crafted packets to IPC endpoints during off-hours, repeatedly rebooting critical coverage zones.

### Scenario 2 โ€” Stolen VMS Password Vault

An attacker exfiltrates the camera password database from a compromised Milestone / Genetec / custom VMS host. They remotely reboot every Dahua IPC on the customer's WAN without further privilege escalation.

### Scenario 3 โ€” Default Credential Sweeps

An attacker authenticates with factory defaults (`admin` / known password lists) on internet-exposed cameras, then triggers reboot loops to harass or blind monitoring during a physical intrusion elsewhere on the property.

### Scenario 4 โ€” SD PTZ Sabotage During Active Tracking

A stadium speed dome tracks a security event. Authenticated crafted input reboots the SD unit, losing active PTZ tracking and preset positioning during a critical window.

### Scenario 5 โ€” Post-Initial-Compromise Lateral Noise

After phishing an installer laptop, an attacker uses stored credentials to disrupt cameras โ€” degrading forensic capture while a separate team conducts physical entry.

---

## Impact Assessment

### Technical Impact

| Domain | Rating | Detail |
|---|---|---|
| Confidentiality | None (direct) | Not scored in published vector |
| Integrity | None (direct) | Not scored in published vector |
| Availability | **High** | Unexpected reboot; repeatable |

### Business Impact (Contextual)

| Sector | Potential Consequence |
|---|---|
| Retail | Blind spots during shrink events |
| Transportation | Platform / concourse camera gaps |
| Critical infrastructure | Perimeter PTZ tracking loss |
| Corporate campuses | Parking and entrance coverage dropout |

### Auth Barrier vs. Real-World Risk

| Environment | Practical Risk Level |
|---|---|
| Strong unique creds + no WAN exposure | Lower โ€” attacker must breach auth first |
| Shared integrator password across 500 cameras | **High** โ€” single secret enables mass DoS |
| Internet port-forward with default admin | **High** โ€” resembles unauthenticated practical risk |
| Air-gapped LAN, tight ACLs | Moderate โ€” insider or lateral movement dependent |

---

## Detection and Indicators of Compromise

No public packet signature is documented. Focus on **authenticated session abuse** correlated with **reboot events**.

### Host / Device Indicators

- Unexpected reboots following authenticated management sessions from unusual source IPs
- Fatal error or assertion messages in device logs immediately before restart
- Short uptimes after admin API activity
- SD units losing PTZ calibration flags after unplanned reboot

### Authentication Indicators

- Admin login successes from geolocations or subnets not used by operators
- Burst of authenticated API calls from a single account across many cameras
- Off-hours configuration sessions without change tickets
- Use of legacy integrator accounts thought to be retired

### Network Indicators

- Management port traffic (HTTP/S, proprietary SDK ports) immediately preceding offline events
- Repeated identical payload sizes or anomalous request patterns post-login
- Correlation between VPN egress IP and camera syslog reboot timestamps

### Recommended Actions

- Enable **syslog** on IPC/SD devices to centralized SIEM
- Alert on **mass disconnect** from VMS within short intervals
- Correlate **authentication logs** with **watchdog reboot** events
- Audit accounts with **admin** privileges; remove unused integrator logins

---

## Mitigation and Remediation

### Primary Remediation โ€” Firmware Update

1. Inventory all Dahua **IPC and SD** units with model, serial, and firmware build date.
2. Flag devices with builds **before March 26, 2026**.
3. Obtain fixed firmware from the [Dahua PSI Trust Center](https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi).
4. Upgrade during maintenance windows; verify streams, PTZ presets, and analytics after reboot.
5. Confirm build date in device UI or ONVIF/SDK query post-patch.

### Credential Hygiene (Critical for PR:H Flaws)

| Action | Rationale |
|---|---|
| **Rotate all camera admin passwords** | Neutralizes stolen creds from old VMS exports |
| **Unique password per device** | Limits blast radius of one leaked secret |
| **Disable unused accounts** | Removes dormant integrator backdoors |
| **Enforce strong password policy** | Reduces default-credential guessing |
| **Migrate to centralized auth** where supported | Improves auditability and revocation |

### Network Controls

| Control | Objective |
|---|---|
| **Segment cameras on dedicated VLANs** | Contain lateral movement |
| **Restrict management ports by source IP** | Only VMS and jump hosts may authenticate |
| **Eliminate raw WAN port-forwarding** | Force VPN or zero-trust access |
| **Disable unused services** | Shrink authenticated attack surface |
| **Monitor admin API access** | Detect abuse before repeated reboots |

### Coordinated Patching with CVE-2026-29116

On IPC/SD estates, apply firmware that addresses **both** CVE-2026-29115 and [CVE-2026-29116](../CVE-2026-29116/README.md). The unauthenticated issue is strictly worse from an exposure standpoint; authenticated issues remain dangerous where secrets are weak.

---

## Workarounds

No configuration-only workaround is documented that fully removes the vulnerability without upgrading firmware. Until patched:

1. **Rotate and harden credentials** โ€” reduces who can meet `PR:H`.
2. **Restrict management access** to trusted subnets and VPN only.
3. **Monitor for reboot loops** and block offending sources at the firewall.
4. **Disable remote admin** on cameras that only need outbound cloud/P2P connectivity (architecture-dependent).

---

## Vendor Response

Dahua published this issue through its **Product Security Incident (PSI)** program:

- **Trust Center / PSI:** https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi

Consult the vendor bulletin for:

- Model-specific affected IPC/SD lists
- Fixed firmware images and release notes
- Any additional hardening guidance

---

## References

| Resource | URL |
|---|---|
| Dahua PSI Trust Center | https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi |
| NVD Entry | https://nvd.nist.gov/vuln/detail/CVE-2026-29115 |
| CVE Record | https://vulners.com/cve/CVE-2026-29115 |
| Related: CVE-2026-29116 | https://vulners.com/cve/CVE-2026-29116 |
| CWE-617 Definition | https://cwe.mitre.org/data/definitions/617.html |
| CVSS 4.0 Specification | https://www.first.org/cvss/v4.0/specification-document |

---

## Disclaimer

This document is an **informational security advisory** compiled from publicly available CVE metadata and vendor statements. It is intended to assist defenders, integrators, and researchers in understanding **CVE-2026-29115** risk and prioritizing remediation.

- This README **does not** provide exploit code, crafted packet templates, or attack recipes.
- Inferred technical analysis is not vendor-confirmed root-cause disclosure.
- Model and firmware applicability **must** be verified against official Dahua PSI guidance.
- The authors are not liable for actions taken based on this document.

**Responsible use:** Report additional findings through coordinated disclosure (vendor PSI, CERT, or authorized bug bounty programs).

---

## Document Revision History

| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-07-11 | Initial comprehensive advisory README based on CVE-2026-29115 publication data |

---


  CVE-2026-29115 ยท Dahua Technology ยท CVSS 4.0 6.9 MEDIUM ยท CWE-617 ยท IPC / SD