## https://sploitus.com/exploit?id=6C6F4725-A959-59CD-A851-CED06BE8F178
# CVE-2026-29116 โ Dahua Unauthenticated Remote Denial of Service
[](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
[](#attack-prerequisites)
[](#attack-prerequisites)
> **Advisory type:** Vendor-coordinated security disclosure
> **CVE ID:** [CVE-2026-29116](https://vulners.com/cve/CVE-2026-29116)
> **Vendor:** Dahua Technology
> **Published:** 2026-06-10T06:16:34 UTC
> **Last Modified:** 2026-06-10T06:16:34 UTC
> **Source:** [Dahua Product Security Incident (PSI) Trust Center](https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi)
---
## Table of Contents
- [Executive Summary](#executive-summary)
- [At a Glance](#at-a-glance)
- [Vulnerability Timeline](#vulnerability-timeline)
- [Description](#description)
- [Technical Analysis](#technical-analysis)
- [Affected Products](#affected-products)
- [CVSS Scoring](#cvss-scoring)
- [Vulnerability Scoring Details](#vulnerability-scoring-details)
- [CWE Classification](#cwe-classification)
- [Attack Prerequisites](#attack-prerequisites)
- [Exploitation Scenarios](#exploitation-scenarios)
- [Impact Assessment](#impact-assessment)
- [Detection and Indicators of Compromise](#detection-and-indicators-of-compromise)
- [Mitigation and Remediation](#mitigation-and-remediation)
- [Workarounds](#workarounds)
- [Vendor Response](#vendor-response)
- [References](#references)
- [Disclaimer](#disclaimer)
- [Document Revision History](#document-revision-history)
---
## Executive Summary
A **high-severity, unauthenticated remote denial-of-service vulnerability** has been identified in multiple Dahua security and surveillance product lines. An attacker on the network โ including the public internet when devices are exposed โ can send a **specially crafted network packet** to a vulnerable device. Processing that packet triggers an **unhandled exception** (consistent with a reachable assertion or fatal error path), causing the device to **reboot unexpectedly**.
Because no credentials are required and attack complexity is low, this vulnerability is straightforward to exploit at scale. Repeated exploitation can produce sustained outages across cameras, recorders, intercom endpoints, and related infrastructure. While the flaw does **not** directly compromise confidentiality or integrity of stored data, the **availability impact is rated High**, yielding a **CVSS 4.0 base score of 8.7 (HIGH)**.
Organizations operating Dahua IPC, SD, NVR, XVR, EVS, VTO, VTH, ASI, or TPC hardware with firmware builds **prior to March 26, 2026** should treat patching or network isolation as a priority.
> **Note on advisory labeling:** Some third-party indexes list this CVE under a "Cross-Site Scripting" title. The official description, CVSS vector (`VA:H` with no confidentiality or integrity impact), and CWE-617 classification are consistent with an **unauthenticated network-triggered crash/reboot (DoS)**, not a browser-based XSS condition. This document follows the vendor description and scoring data.
---
## At a Glance
| Field | Value |
|---|---|
| **CVE ID** | CVE-2026-29116 |
| **Vendor** | Dahua Technology |
| **Vulnerability Type** | Denial of Service (unexpected reboot) |
| **Attack Vector** | Network |
| **Authentication Required** | No |
| **User Interaction Required** | No |
| **Privileges Required** | None |
| **CVSS Version** | 4.0 |
| **CVSS Base Score** | **8.7 โ HIGH** |
| **CVSS Vector** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` |
| **CWE** | CWE-617 (Reachable Assertion) |
| **Remotely Exploitable** | Yes |
| **Published Date** | 2026-06-10 |
| **Fix Availability** | Firmware builds from **March 26, 2026** onward (per vendor guidance) |
---
## Vulnerability Timeline
| Date | Event |
|---|---|
| **โค 2026-03-26** | Vulnerable firmware builds in active distribution |
| **2026-03-26** | Vendor fix cutoff โ builds produced on or after this date are outside the affected range (per advisory) |
| **2026-06-10T06:16:34 UTC** | CVE-2026-29116 published |
| **2026-06-10T06:16:34 UTC** | NVD record last modified |
| **2026-06-10** | Dahua PSI Trust Center advisory published |
| **Ongoing** | Operators should inventory, patch, and segment affected estates |
---
## Description
Dahua has reported a security vulnerability affecting a subset of products across its surveillance and access portfolio. The flaw resides in network-facing software that handles inbound traffic without adequately validating or safely handling malformed or adversarial input.
**Observed behavior:**
1. An **unauthenticated remote attacker** transmits a **specially crafted packet** to a vulnerable device over the network.
2. The device's network service or internal handler processes the packet and enters an **exceptional code path** โ for example, a failed assertion, unhandled fault, or unrecoverable internal error consistent with **CWE-617 (Reachable Assertion)**.
3. The exception propagates in a way that causes the **system to reboot unexpectedly**.
4. The device is unavailable until the reboot cycle completes. Under repeated attack, the device may remain in a **persistent denial-of-service** state.
**What this vulnerability is not (per CVSS metrics):**
- It does **not** require the victim to open a web page or click a link (`UI:N`).
- It does **not** require attacker credentials (`PR:N`).
- It does **not** demonstrate direct **confidentiality** or **integrity** impact on the vulnerable component (`VC:N`, `VI:N`).
- It does **not** show subsequent-system impact in the published vector (`SC:N`, `SI:N`, `SA:N`).
The primary risk is **loss of availability** โ cameras stop streaming, recorders stop recording, intercoms go offline, and automated workflows depending on those devices fail.
---
## Technical Analysis
### Root Cause (Inferred)
Public vendor text does not disclose the exact function or protocol endpoint. Based on the published CWE and behavior, the most probable root-cause categories are:
| Category | Explanation |
|---|---|
| **Reachable assertion** | A debug or integrity `assert()` (or equivalent) remains enabled in production firmware and can be triggered by malformed input. |
| **Uncaught fatal exception** | Parser or session state machine throws/crashes on unexpected field values, lengths, or protocol states. |
| **Resource or bounds mishandling** | Crafted packet causes an out-of-bounds access or invalid memory operation detected at runtime, terminating the process or kernel path. |
Any of the above can cascade into a **full device reboot** if the failure occurs in a critical daemon, the main application supervisor, or a kernel-adjacent component without graceful recovery.
### Attack Surface
Because the attack vector is **Network** and **no privileges** are required, any reachable service that parses attacker-supplied network input on affected firmware may be implicated. In Dahua deployments, that commonly includes โ but is not limited to โ:
- Device discovery and registration services
- Proprietary P2P / tunnel / relay handshake handlers
- HTTP/HTTPS management interfaces (where raw or chunked requests are mishandled)
- RTSP / ONVIF / SIP-adjacent stacks (product-dependent)
- Intercom and door station signaling (VTO/VTH lines)
> **Important:** The vendor advisory does not name a single port or URI. Defenders should assume **any exposed network listener** on vulnerable firmware could be relevant until patched.
### Reboot vs. Process Restart
From an operator's perspective both outcomes look like "the camera went offline," but they differ operationally:
| Outcome | Operator-visible effect | Logging |
|---|---|---|
| **Process restart** | Brief stream gap; device may stay partially up | Application crash logs |
| **Full system reboot** | Complete offline window; active sessions dropped | Boot sequence, watchdog, kernel panic traces |
The vendor description explicitly cites **unexpected system reboot**, implying a **device-wide** availability event rather than a single non-critical daemon recycling.
### Stability Under Repeated Exploitation
A one-shot reboot is disruptive. A **repeatable remote trigger** is worse:
- Surveillance gaps during incidents or compliance recording windows
- NVR channel loss triggering false "camera tamper" cascades
- Intercom / access endpoints unavailable at entry points
- Central monitoring station alarm storms from mass offline events
- Brute-force or follow-on attacks timed during reboot recovery windows
---
## Affected Products
### Vendor Summary
| # | Vendor | Product Families | Version / Build Guidance |
|---|---|---|---|
| 1 | **Dahua** | IPC / SD / NVR / XVR / EVS / VTO / VTH / ASI / TPC | **Affected:** firmware builds **before March 26, 2026** (limited to certain models within each family) |
**Totals:** 1 affected vendor ยท 1 affected product grouping (multi-family)
### Product Family Reference
| Family | Typical Role | Example Operational Impact |
|---|---|---|
| **IPC** | IP cameras | Live view loss, recording gaps, smart event dropout |
| **SD** | Speed domes / PTZ | Loss of tracking, preset failures, patrol interruption |
| **NVR** | Network video recorders | Multi-channel ingest outage if appliance reboots |
| **XVR** | Hybrid DVR/NVR | Local + IP channel recording interruption |
| **EVS** | Enterprise video storage | Large-scale archive ingest disruption |
| **VTO** | Video intercom outdoor stations | Entry calls fail; door release unavailable |
| **VTH** | Video intercom indoor monitors | Unit-level communication loss |
| **ASI** | Access / security interfaces | Integrated door and alarm workflows stall |
| **TPC** | Thermal / specialty platforms | Safety monitoring blind spots |
### Model Scope Caveat
Dahua states that **only certain models** within the listed families are affected. The advisory is **not a universal "all Dahua devices" claim**. Operators must cross-reference:
1. Exact model number
2. Firmware build date (must be **on or after 2026-03-26** for fixed builds)
3. Vendor PSI bulletin for model-specific matrices and download links
---
## CVSS Scoring
### Summary
| Score | Version | Severity | Vector |
|---|---|---|---|
| **8.7** | **4.0** | **HIGH** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` |
### CVSS 4.0 Metric Breakdown
| Metric | Value | Meaning for this CVE |
|---|---|---|
| **AV (Attack Vector)** | Network (`N`) | Exploitation occurs over a network path; remote attackers qualify when devices are reachable |
| **AC (Attack Complexity)** | Low (`L`) | No special timing, race, or environmental conditions are required |
| **AT (Attack Requirements)** | None (`N`) | No deployment-specific preconditions beyond network reachability |
| **PR (Privileges Required)** | None (`N`) | Unauthenticated attacker |
| **UI (User Interaction)** | None (`N`) | No victim user action (e.g., opening a link) is needed |
| **VC (Vuln System Confidentiality)** | None (`N`) | No demonstrated direct confidentiality loss on the device |
| **VI (Vuln System Integrity)** | None (`N`) | No demonstrated direct integrity loss on the device |
| **VA (Vuln System Availability)** | High (`H`) | Device becomes unavailable; reboot-class impact |
| **SC (Subsequent Confidentiality)** | None (`N`) | No scored downstream confidentiality impact |
| **SI (Subsequent Integrity)** | None (`N`) | No scored downstream integrity impact |
| **SA (Subsequent Availability)** | None (`N`) | No scored downstream availability impact |
### Severity Interpretation
A score of **8.7** in CVSS 4.0 places this issue in the **HIGH** band. The score is driven almost entirely by **unauthenticated remote availability compromise** with **low complexity**. Defenders should not downgrade risk solely because confidentiality and integrity are `None` โ for physical security systems, **availability is often the business-critical property**.
---
## Vulnerability Scoring Details
Visual summary of the published CVSS 4.0 selector positions:
### Exploit Characteristics
```
Attack Vector: [Network] Adjacent Local Physical
Attack Complexity: [Low] High
Attack Requirements: [None] Present
Privileges Required: [None] Low High
User Interaction: [None] Passive Active
```
### Impact on Vulnerable System
```
Vuln Confidentiality: [None] Low High
Vuln Integrity: [None] Low High
Vuln Availability: [High] Low None
```
### Subsequent System Impact
```
Subseq Confidentiality: [None] Low High
Subseq Integrity: [None] Low High
Subseq Availability: [None] Low High
```
---
## CWE Classification
| # | CWE ID | Name | Relevance |
|---|---|---|---|
| 1 | **CWE-617** | [Reachable Assertion](https://cwe.mitre.org/data/definitions/617.html) | Production code exposes an assertion or fatal check reachable by untrusted input, terminating the process or system |
### Why CWE-617 Fits
CWE-617 describes situations where developers rely on assertions for conditions that **external attackers can force**. Unlike graceful error handling (return codes, sanitized responses), a reachable assertion often ends in **abrupt termination** โ aligning with **crash or reboot** behavior described by the vendor.
---
## Attack Prerequisites
| Prerequisite | Required? | Notes |
|---|---|---|
| Valid device credentials | **No** | Unauthenticated attack |
| Victim user interaction | **No** | Fully remote network trigger |
| Prior compromise of another system | **No** | Standalone exploitation |
| Network reachability to device | **Yes** | Attack vector is Network |
| Knowledge of device model | Helpful, not strictly required | Crafted packet may be family-specific |
| Internet exposure | **Not required**, but increases risk | WAN port-forwarding and cloud relay exposure are common in practice |
**Remotely Exploitable:** **Yes**
---
## Exploitation Scenarios
### Scenario 1 โ Internet-Exposed Camera
A fixed IPC is port-forwarded for remote viewing. An attacker scans the host, sends the crafted packet to an open service port, and forces a reboot. The camera drops offline during an active security incident, creating a recording gap.
### Scenario 2 โ Flat CCTV VLAN
An attacker gains a foothold on a corporate laptop (phishing, contractor device, etc.) and targets every Dahua host on the surveillance VLAN. Sequential triggers produce a site-wide "all cameras offline" event without ever authenticating to VMS software.
### Scenario 3 โ Intercom Disruption (VTO/VTH)
A retail store uses Dahua door stations. An attacker near the network (or via exposed WAN) repeatedly reboots the outdoor station during peak hours. Entry validation and remote door release fail, causing operational shutdown or manual bypass procedures.
### Scenario 4 โ Chained Physical Security Degradation
NVR reboot during an active intrusion delays alarm verification and PTZ tracking. While not a direct "integrity" CVE per CVSS, the **physical security outcome** can be severe.
### Scenario 5 โ Sustained Harassment / Service Degradation
Automated replay of the trigger every N minutes prevents stable uptime even if the device recovers quickly each time โ a **low-effort, high-disruption** attack suitable for botnet-scale abuse against known firmware fingerprints.
---
## Impact Assessment
### Technical Impact
| Domain | Rating | Detail |
|---|---|---|
| Confidentiality | None (direct) | No proven data exfiltration via this flaw alone |
| Integrity | None (direct) | No proven configuration or footage tampering via this flaw alone |
| Availability | **High** | Reboot-level outage; repeatable |
### Business Impact (Contextual)
| Sector | Potential Consequence |
|---|---|
| Retail / Banking | Loss of forensic video during shrink or fraud events |
| Critical infrastructure | Gaps in visual verification of alarms |
| Residential / SMB | Home monitoring blind spots during break-ins |
| Smart city | Traffic or public safety camera dropout |
| Access control integrations | Doors and intercoms unavailable at peak times |
### Fleet-Wide Considerations
Organizations with **hundreds or thousands** of Dahua endpoints should model:
- Mean time to recover per reboot
- Central monitoring noise during mass outages
- SLA breaches with managed service customers
- Insurance or compliance implications for recording continuity
---
## Detection and Indicators of Compromise
Because the vendor has not published packet captures or CVE-specific signatures, detection should focus on **behavioral indicators**:
### Host / Device Indicators
- Unexpected reboots without administrator-initiated upgrades or power events
- Boot reason flags referencing kernel panic, watchdog reset, or abnormal restart
- Application logs showing assertion failures or fatal errors immediately before downtime
- Short uptimes correlated with bursts of anomalous network traffic
### Network Indicators
- Single-source or distributed bursts of anomalous packets preceding device offline events
- New scanning activity on Dahua-associated service ports from untrusted subnets
- Correlation between external SYN/UDP/HTTP patterns and camera/NVR syslog reboot timestamps
### Operational Correlations
- Multiple devices offline simultaneously without PoE switch failure
- Offline events **not** accompanied by switch interface errors (suggesting endpoint-level crash)
- Recurring outages at fixed intervals (possible automated replay attack)
### Recommended Logging
- Centralize **syslog** from cameras, NVRs, and intercoms
- Retain **firewall / edge** flows for segments containing surveillance gear
- Alert on **mass device disconnect** events from VMS within short time windows
---
## Mitigation and Remediation
### Primary Remediation โ Firmware Update
1. Inventory all Dahua devices with model, serial, and **firmware build date**.
2. Identify units with builds **before March 26, 2026**.
3. Download vendor-approved firmware from the [Dahua PSI Trust Center](https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi) or authorized distribution channels.
4. Stage upgrades on a maintenance window; validate recording and intercom function post-patch.
5. Re-test externally exposed services only after confirmation of fixed build.
### Compensating Controls (Until Patched)
| Control | Objective |
|---|---|
| **Network segmentation** | Place cameras/NVRs on dedicated VLANs with deny-by-default ACLs |
| **Remove port forwarding** | Eliminate direct WAN exposure; use VPN or zero-trust access instead |
| **Restrict source IPs** | Allow only VMS, jump hosts, and operator subnets to reach device management ports |
| **Disable unused services** | Reduce protocol attack surface (disable unneeded HTTP/ONVIF/PPPoE/etc.) |
| **Outbound filtering** | Limit unexpected relay behavior where policy allows |
| **Physical spares / failover** | For critical shots, maintain overlapping coverage |
### Enterprise Change Management
- Document firmware versions in CMDB
- Tie patch status to procurement and RMA workflows
- Include Dahua PSI monitoring in vendor risk review cadence
---
## Workarounds
No vendor-documented **configuration-only workaround** is known to fully eliminate the vulnerability without upgrading to a fixed build. Until firmware is applied, **network-layer containment** is the practical workaround:
1. Block untrusted networks from reaching device management and proprietary service ports.
2. Monitor for repeated reboot patterns and isolate offending sources at the edge firewall.
3. Where available, place devices behind authenticated VPN concentrators rather than raw exposure.
---
## Vendor Response
Dahua published this issue through its **Product Security Incident (PSI)** program. Official resources:
- **Trust Center / PSI:** https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi
Operators should treat the vendor bulletin as the authoritative source for:
- Model-specific affected lists
- Fixed firmware download links
- Additional hardening recommendations
---
## References
| Resource | URL |
|---|---|
| Dahua PSI Trust Center | https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psi |
| NVD Entry | https://nvd.nist.gov/vuln/detail/CVE-2026-29116 |
| CVE Record | https://vulners.com/cve/CVE-2026-29116 |
| CWE-617 Definition | https://cwe.mitre.org/data/definitions/617.html |
| CVSS 4.0 Specification | https://www.first.org/cvss/v4.0/specification-document |
---
## Disclaimer
This document is an **informational security advisory** compiled from publicly available CVE metadata and vendor statements. It is intended to assist defenders, integrators, and researchers in understanding **CVE-2026-29116** risk and prioritizing remediation.
- This README **does not** provide exploit code, crafted packet templates, or step-by-step attack instructions.
- Technical analysis sections marked *inferred* are reasonable interpretations of public data, not vendor-confirmed root-cause disclosure.
- Affected model determination **must** be verified against the official Dahua PSI bulletin and your device firmware build date.
- The authors are not liable for actions taken based on this document. Patch, test, and deploy according to your organization's change management policies.
**Responsible use:** Report additional findings through coordinated disclosure channels (vendor PSI, national CERT, or established bug bounty programs where applicable).
---
## Document Revision History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-07-11 | Initial comprehensive advisory README based on CVE-2026-29116 publication data |
---
CVE-2026-29116 ยท Dahua Technology ยท CVSS 4.0 8.7 HIGH ยท CWE-617