Share
## https://sploitus.com/exploit?id=C39C5977-D322-54D2-9B0F-D997C82C40B1
# CVE-2024-13985 โ€” Dahua EIMS `capture_handle.action` Remote Code Execution

[![CVSS 4.0](https://img.shields.io/badge/CVSS_4.0-10.0_CRITICAL-critical?style=flat-square)](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
[![Remotely Exploitable](https://img.shields.io/badge/Remotely_Exploitable-Yes-critical?style=flat-square)](#attack-prerequisites)
[![Authentication](https://img.shields.io/badge/Authentication-Not_Required-critical?style=flat-square)](#attack-prerequisites)
[![In the Wild](https://img.shields.io/badge/Exploitation-Observed-critical?style=flat-square)](#vulnerability-timeline)

> **Advisory type:** Vendor-coordinated security disclosure ยท **Active exploitation reported**  
> **CVE ID:** [CVE-2024-13985](https://vulners.com/cve/CVE-2024-13985)  
> **CNVD ID:** [CNVD-2024-17054](https://www.cnvd.org.cn/flaw/show/CNVD-2024-17054)  
> **Vendor:** Zhejiang Dahua Technology Co., Ltd.  
> **Product:** EIMS (Enterprise Information Management System)  
> **Published:** 2025-08-27T21:23:37 UTC  
> **Last Modified:** 2026-05-15T11:14:33 UTC  
> **Source:** [Dahua Support Bulletin](https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB)

---

## Table of Contents

- [Executive Summary](#executive-summary)
- [At a Glance](#at-a-glance)
- [Relationship to Other Dahua CVEs](#relationship-to-other-dahua-cves)
- [Vulnerability Timeline](#vulnerability-timeline)
- [Description](#description)
- [Technical Analysis](#technical-analysis)
- [Affected Products](#affected-products)
- [CVSS Scoring](#cvss-scoring)
- [Vulnerability Scoring Details](#vulnerability-scoring-details)
- [CWE Classification](#cwe-classification)
- [Attack Prerequisites](#attack-prerequisites)
- [Exploitation Scenarios](#exploitation-scenarios)
- [Impact Assessment](#impact-assessment)
- [Asset Discovery](#asset-discovery)
- [Detection and Indicators of Compromise](#detection-and-indicators-of-compromise)
- [Mitigation and Remediation](#mitigation-and-remediation)
- [Workarounds](#workarounds)
- [Vendor Response](#vendor-response)
- [References](#references)
- [Disclaimer](#disclaimer)
- [Document Revision History](#document-revision-history)

---

## Executive Summary

A **critical, unauthenticated remote code execution vulnerability** exists in **Dahua EIMS (Enterprise Information Management System)** versions **prior to 2240008**. The flaw is a **command injection** in the HTTP endpoint **`capture_handle.action`**, where the **`captureCommand`** parameter is passed to an underlying OS command executor **without authentication, sanitization, or adequate input validation**.

Any remote attacker who can reach the EIMS web interface can send crafted HTTP requests that inject **arbitrary operating-system commands**. Those commands execute in the **server context**, enabling **full system compromise** โ€” data theft, persistence, lateral movement, ransomware deployment, and disruption of dependent physical-security workflows.

The vulnerability receives the **maximum CVSS 4.0 base score of 10.0 (CRITICAL)** with **High** impact across confidentiality, integrity, and availability on both the **vulnerable system** and **subsequent systems** (`VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`). **Exploitation evidence has been observed in the wild.**

EIMS is an **enterprise back-end platform**, not a field IPC camera. Compromise typically affects **central management, access control integrations, and organizational data** rather than a single sensor. Treat internet-exposed or VLAN-reachable EIMS instances as **emergency patch priority**.

---

## At a Glance

| Field | Value |
|---|---|
| **CVE ID** | CVE-2024-13985 |
| **CNVD ID** | CNVD-2024-17054 |
| **Vendor** | Zhejiang Dahua Technology Co., Ltd. |
| **Product** | **EIMS** (Enterprise Information Management System) |
| **Vulnerability Type** | OS Command Injection โ†’ Remote Code Execution |
| **Vulnerable Endpoint** | `capture_handle.action` |
| **Vulnerable Parameter** | `captureCommand` |
| **Attack Vector** | Network |
| **Authentication Required** | **No** |
| **User Interaction Required** | **No** |
| **Privileges Required** | **None** |
| **CVSS Version** | 4.0 |
| **CVSS Base Score** | **10.0 โ€” CRITICAL** |
| **CVSS Vector** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H` |
| **CWE** | CWE-78 (OS Command Injection) |
| **Remotely Exploitable** | Yes |
| **Affected Versions** | **All versions < 2240008** |
| **Fixed Version** | **2240008** and later |
| **Published Date** | 2025-08-27 |
| **Last Modified** | 2026-05-15 |
| **Exploitation in the Wild** | **Yes** (reported) |

---

## Relationship to Other Dahua CVEs

This repository also documents **field-device** advisories from Dahua's 2026 PSI batch. CVE-2024-13985 is a **separate product line** with a **far higher severity profile**.

| Attribute | CVE-2024-13985 (this advisory) | [CVE-2026-29116](../CVE-2026-29116/README.md) | [CVE-2026-29115](../CVE-2026-29115/README.md) | [CVE-2026-29114](../CVE-2026-29114/README.md) |
|---|---|---|---|---|
| **Product** | **EIMS server** | IPC/NVR/etc. | IPC/SD | IPC |
| **CVSS 4.0** | **10.0 CRITICAL** | 8.7 HIGH | 6.9 MEDIUM | 2.3 LOW |
| **Auth** | **None** | None | High privileges | None |
| **Primary Impact** | **Full RCE** | DoS (reboot) | DoS (reboot) | CA cert exposure |
| **CWE** | **CWE-78** | CWE-617 | CWE-617 | CWE-538 |
| **In-the-wild** | **Yes** | Not stated | Not stated | Not stated |

**Defender takeaway:** Patching cameras does **not** remediate EIMS. Inventory **application servers** running Dahua enterprise software independently.

---

## Vulnerability Timeline

| Date | Event |
|---|---|
| **โ‰ค 2024** | Vulnerable EIMS releases deployed in enterprise environments |
| **2024** | Vulnerability discovered / reported (CVE year 2024) |
| **2024** | CNVD-2024-17054 assigned (China National Vulnerability Database) |
| **2025-08-27T21:23:37 UTC** | CVE-2024-13985 published to NVD/CVE.org |
| **2025โ€“2026** | Public scanners, PoC discussions, and nuclei templates circulate |
| **Post-publication** | **Exploitation evidence observed in the wild** |
| **2026-05-15T11:14:33 UTC** | NVD record last modified |
| **Ongoing** | Internet-exposed EIMS instances remain high-value targets |

---

## Description

Dahua **EIMS** provides enterprise-level information management capabilities used in integrated security and building-management deployments. A network-facing servlet or action handler exposed at **`capture_handle.action`** accepts a parameter named **`captureCommand`**.

### Failure Mode

The application treats `captureCommand` as input to a **host operating system command** (directly or via a shell wrapper) without:

- Requiring an authenticated session
- Validating allowed character sets or command vocabulary
- Escaping shell metacharacters
- Using safe APIs (e.g., parameterized process invocation with fixed executable and argument array)

An unauthenticated attacker submits crafted HTTP requests containing command injection payloads in `captureCommand`. The server **executes attacker-controlled OS commands** with the privileges of the EIMS application process โ€” typically a privileged service account on Windows or Linux hosts.

### Consequences

Successful exploitation leads to:

| Outcome | Detail |
|---|---|
| **Remote Code Execution** | Arbitrary binaries, scripts, or shell commands |
| **Full system compromise** | File read/write, user creation, service manipulation |
| **Lateral movement** | Pivot from EIMS host into AD, databases, camera VLANs |
| **Data exfiltration** | Access to EIMS-managed enterprise records |
| **Service disruption** | Stop EIMS, wipe data, deploy ransomware |
| **Supply-chain positioning** | Backdoor software update or device provisioning channels |

---

## Technical Analysis

### Endpoint and Parameter

| Component | Value |
|---|---|
| **HTTP path** | `capture_handle.action` |
| **Parameter** | `captureCommand` |
| **Protocol** | HTTP/HTTPS (deployment-dependent) |
| **Auth gate** | **Absent** (unauthenticated reachability) |

The `.action` suffix is characteristic of **Apache Struts2** or Struts-style Java MVC frameworks commonly used in enterprise Java web applications. While the vendor bulletin describes **command injection** rather than naming the framework, defenders should inspect EIMS deployments for **Java web containers** (Tomcat, etc.) and **reverse proxies** forwarding to that endpoint.

### CWE-78 โ€” OS Command Injection Mechanics

[CWE-78](https://cwe.mitre.org/data/definitions/78.html) arises when application code concatenates untrusted input into commands interpreted by `/bin/sh`, `cmd.exe`, or equivalent:

```
# Conceptual vulnerable pattern (pseudocode โ€” not vendor source)
Runtime.exec("capture-tool " + captureCommand);
# or
ProcessBuilder("sh", "-c", "capture-tool " + captureCommand);
```

Shell metacharacters (`;`, `|`, `&`, `` ` ``, `$()`, `&&`, `||`, newlines) allow **command termination** and **arbitrary secondary commands**.

### Why CVSS 10.0 Is Warranted

Every CVSS 4.0 impact metric in the published vector is **High**, including **subsequent system** impacts:

| Property | Value | Implication |
|---|---|---|
| `AV:N` | Network | WAN exploitation possible |
| `AC:L` | Low complexity | Single crafted HTTP request |
| `AT:N` | No special attack requirements | Default deployment exploitable |
| `PR:N` | No privileges | No account needed |
| `UI:N` | No user interaction | Fully automated exploitation |
| `VC/VI/VA:H` | Full CIA on EIMS host | Complete compromise |
| `SC/SI/SA:H` | Subsequent systems High | EIMS is a central integration hub |

This is among the most severe published scores possible under CVSS 4.0.

### EIMS Architecture Context (Operational)

EIMS typically sits **centralized** in the security architecture:

```
[Internet / WAN] โ”€โ”€?โ”€โ”€> [EIMS Application Server]
                              โ”‚
              โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
              โ–ผ               โ–ผ               โ–ผ
         [Directory]    [Access DB]     [Device APIs]
              โ”‚               โ”‚               โ”‚
              โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                              โ”‚
                    [Cameras / Doors / Alarms]
```

Compromise at the EIMS layer is **architecturally worse** than compromising a single IPC โ€” it is a **control plane** breach.

### Public Exploitation Ecosystem

Multiple public sources reference this flaw (see [References](#references)):

- Vendor bulletin on `support.dahuatech.com`
- CNVD and NVD entries
- Community write-ups (cn-sec.com, CSDN)
- Scanner templates (Nuclei, Pentest-Tools, VulnCheck, S4E)

The presence of **scanner signatures** and **in-the-wild exploitation** means opportunistic mass exploitation is an **immediate realistic threat**, not a theoretical research concern.

---

## Affected Products

### Vendor Summary

| # | Vendor | Product | Version Constraint |
|---|---|---|---|
| 1 | Zhejiang Dahua Technology Co., Ltd. | **EIMS** | All versions **< 2240008** |
| 2 | Zhejiang Dahua Technology Co., Ltd. | **EIMS** | Version **0** (baseline / all branches prior to fix) |

**Totals:** 1 affected vendor ยท 1 affected product (EIMS)

### Fixed Version

| Status | Version |
|---|---|
| **Vulnerable** | `< 2240008` |
| **Fixed** | **`2240008` and later** |

### Version Identification

Operators should record:

1. EIMS **build or package version** from the admin UI or installer manifest
2. Installed **patch level** from Dahua support portal entitlements
3. Host OS and deployment topology (standalone vs. clustered)

If version enumeration is unavailable, **assume vulnerable** until confirmed patched.

### What EIMS Is Not

| Product | Relationship |
|---|---|
| IPC / SD cameras | Different firmware; not covered by this CVE |
| NVR / XVR appliances | Embedded devices; separate CVEs |
| DMSS mobile app | Client software; not EIMS server |
| DSS / other VMS | Distinct products โ€” verify separately |

---

## CVSS Scoring

### Summary

| Score | Version | Severity | Vector |
|---|---|---|---|
| **10.0** | **4.0** | **CRITICAL** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H` |

### CVSS 4.0 Metric Breakdown

| Metric | Value | Meaning for this CVE |
|---|---|---|
| **AV** | Network (`N`) | Remote exploitation over HTTP |
| **AC** | Low (`L`) | Reliable, low-skill exploitation |
| **AT** | None (`N`) | Default install exploitable |
| **PR** | None (`N`) | Unauthenticated |
| **UI** | None (`N`) | No victim interaction |
| **VC** | High (`H`) | Full read of server-accessible data |
| **VI** | High (`H`) | Full modification capability |
| **VA** | High (`H`) | Service termination / destruction |
| **SC** | High (`H`) | High confidentiality impact on subsequent systems |
| **SI** | High (`H`) | High integrity impact on subsequent systems |
| **SA** | High (`H`) | High availability impact on subsequent systems |

### Maximum Severity Interpretation

A **10.0** under CVSS 4.0 indicates **no compensating metric reduces urgency**. Patching, isolation, or takedown from untrusted networks should be treated as **P0 / emergency**.

---

## Vulnerability Scoring Details

Visual summary of the published CVSS 4.0 selector positions:

### Exploit Characteristics

```
Attack Vector:          [Network]  Adjacent  Local  Physical
Attack Complexity:      [Low]      High
Attack Requirements:    [None]     Present
Privileges Required:    [None]     Low      High
User Interaction:       [None]     Passive  Active
```

### Impact on Vulnerable System

```
Vuln Confidentiality:     None     Low      [High]
Vuln Integrity:           None     Low      [High]
Vuln Availability:        None     Low      [High]
```

### Subsequent System Impact

```
Subseq Confidentiality:   None     Low      [High]
Subseq Integrity:           None     Low      [High]
Subseq Availability:      None     Low      [High]
```

---

## CWE Classification

| # | CWE ID | Name | Relevance |
|---|---|---|---|
| 1 | **CWE-78** | [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')](https://cwe.mitre.org/data/definitions/78.html) | `captureCommand` passed to OS command execution without neutralization |

### Related Weaknesses (Contextual)

| CWE | Name | Relationship |
|---|---|---|
| CWE-77 | Command Injection (generic) | Parent category |
| CWE-306 | Missing Authentication for Critical Function | Unauthenticated reachability of dangerous handler |
| CWE-20 | Improper Input Validation | Root validation failure |
| CWE-434 | Unrestricted Upload | Possible post-exploitation follow-on, not core CVE |

---

## Attack Prerequisites

| Prerequisite | Required? | Notes |
|---|---|---|
| Valid EIMS credentials | **No** | Unauthenticated |
| Victim user interaction | **No** | Single HTTP request sufficient |
| Prior compromise | **No** | Standalone exploitation |
| Network reachability to EIMS HTTP(S) | **Yes** | `capture_handle.action` accessible |
| Vulnerable version (`< 2240008`) | **Yes** | Patched versions not affected |
| Internet exposure | **Not required** | LAN/WAN/VPN reachable instances equally at risk |

**Remotely Exploitable:** **Yes**

---

## Exploitation Scenarios

### Scenario 1 โ€” Internet-Exposed EIMS (Shodan / ZoomEye)

Attackers enumerate `app="Dahua EIMS"` hosts on internet scan engines, deliver command injection to `capture_handle.action`, deploy webshell or reverse shell, and exfiltrate enterprise security databases.

### Scenario 2 โ€” Ransomware Operator Mass Campaign

Automated scanners identify vulnerable instances. Attackers encrypt EIMS host and connected file shares, demanding ransom while physical access control and visitor management integrations are offline.

### Scenario 3 โ€” Lateral Movement from Perimeter Breach

An attacker compromises a DMZ web server, pivots to an internally reachable EIMS instance on a shared management VLAN, and uses EIMS credentials/API keys stored on the host to interact with downstream door controllers and cameras.

### Scenario 4 โ€” Insider-Less Espionage

Nation-state or criminal actors silently exfiltrate personnel access logs, visitor records, and building maps without rebooting services โ€” maintaining long-term persistence via cron/systemd backdoors.

### Scenario 5 โ€” Supply Chain / Integrator MSP

A managed service provider hosts one EIMS instance for dozens of customers. Single compromise affects **all tenants** on that server โ€” a concentrated catastrophic failure.

---

## Impact Assessment

### Technical Impact

| Domain | Rating | Detail |
|---|---|---|
| Confidentiality | **High** | Full filesystem and DB read access typical |
| Integrity | **High** | Arbitrary file write, config tampering, backdoors |
| Availability | **High** | Kill process, wipe data, ransomware |
| Subsequent systems | **High** | Integration credentials enable downstream abuse |

### Business Impact

| Sector | Consequence |
|---|---|
| **Corporate campuses** | Access control bypass, visitor data leak |
| **Government / critical infra** | Control-plane breach across physical security |
| **Healthcare** | HIPAA-relevant access log exposure |
| **Education** | Student/staff safety system manipulation |
| **Integrators / MSPs** | Multi-customer breach from one host |

### Regulatory and Legal Exposure

EIMS compromise may trigger:

- Breach notification obligations (GDPR, state privacy laws, etc.)
- Critical infrastructure reporting in regulated sectors
- Contractual SLA penalties with physical security customers

---

## Asset Discovery

### ZoomEye Query

| Platform | Query | Link |
|---|---|---|
| **ZoomEye** | `app="Dahua EIMS"` | [Search on ZoomEye](https://www.zoomeye.ai/searchResult?q=YXBwPSJEYWh1YSBFSU1TIg==) |

### Defensive Inventory (Authorized Only)

| Method | Action |
|---|---|
| **CMDB / license records** | List all EIMS installs and versions |
| **VM inventory** | Search for Dahua EIMS packages on application servers |
| **Reverse proxy configs** | Identify upstreams routing to `capture_handle.action` |
| **Vulnerability scanners** | Run vendor-approved checks using published signatures |
| **Internet attack surface** | Compare ZoomEye results against owned public IPs |

> Only scan assets you own or are explicitly authorized to test.

---

## Detection and Indicators of Compromise

### Network Indicators

- HTTP `GET`/`POST` to **`/capture_handle.action`** or path suffix match
- Requests containing **`captureCommand=`** with shell metacharacters or encoded equivalents (`%3B`, `%7C`, `%26`, `%24`, `` %60 ``, `%0A`)
- Spike in **4xx/5xx** responses followed by **new outbound connections** from EIMS host
- Unexpected **DNS queries** or **beaconing** from application server after anomalous HTTP

### Host Indicators

- New **cron jobs**, **scheduled tasks**, or **systemd units** on EIMS server
- Unexpected **web shells** in Tomcat/webapp directories
- **New local users** or **SSH authorized_keys** modifications
- **java** or **tomcat** process spawning `/bin/sh`, `cmd.exe`, `powershell`, `bash`
- Antivirus/EDR alerts on EIMS host correlated with web access logs

### Application Log Patterns

- `capture_handle.action` access from **unfamiliar source IPs**
- **High-frequency** identical requests (scanner behavior)
- Errors in command wrapper utilities immediately after suspicious `captureCommand` values

### Threat Intelligence Feeds

Monitor for:

- CNVD-2024-17054 / CVE-2024-13985 signatures
- Nuclei template matches (public templates exist โ€” use for **authorized** scanning)
- SIEM rules tagging Dahua EIMS exploit attempts

### Recommended Emergency Queries (SIEM)

```
# Example patterns โ€” adapt to your log schema
url:"capture_handle.action" AND captureCommand:*
url:"capture_handle.action" AND (captureCommand:*;* OR captureCommand:*|* OR captureCommand:*&*)
```

---

## Mitigation and Remediation

### Primary Remediation โ€” Upgrade to 2240008+

1. **Inventory** all EIMS deployments and record versions.
2. **Upgrade immediately** to version **2240008** or later from [Dahua Support Bulletin](https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB).
3. **Verify** patch success via version string and absence of exploitable behavior in **authorized** regression tests.
4. **Rotate** all credentials stored on or reachable from the EIMS host (DB, API keys, service accounts, integration passwords).

### Emergency Containment (If Patching Is Delayed)

| Control | Priority | Action |
|---|---|---|
| **Remove internet exposure** | **P0** | Take EIMS offline from WAN immediately |
| **WAF / reverse proxy block** | **P0** | Block `capture_handle.action` at edge |
| **Network ACL** | **P0** | Allow only admin jump-host IPs to EIMS port |
| **Disable vulnerable handler** | P1 | If vendor or integrator provides interim config (confirm with support) |
| **EDR isolation** | P1 | Restrict outbound from EIMS except required integrations |

### Post-Compromise Recovery

If exploitation is suspected:

1. **Isolate** the host from network
2. **Preserve forensic images** before rebuild
3. **Rebuild** from known-good media (not in-place "cleanup" alone)
4. **Rotate** all secrets company-wide that were accessible from EIMS
5. **Review** downstream device configs for unauthorized changes
6. **Report** per organizational IR and regulatory requirements

### Secure Deployment Hardening (Long-Term)

| Practice | Recommendation |
|---|---|
| **Never expose EIMS to internet** | VPN or zero-trust only |
| **Segment** EIMS on dedicated management VLAN |
| **Run with least privilege** | Non-root service account; restricted file permissions |
| **Centralize logging** | Forward HTTP and OS logs to SIEM |
| **Patch cadence** | Treat Dahua enterprise apps like any critical CMDB tier-1 app |

---

## Workarounds

No vendor-sanctioned **permanent** workaround replaces upgrading to **2240008+**. Interim measures:

1. **Block** external access to `capture_handle.action` at the reverse proxy/WAF.
2. **Air-gap** EIMS from untrusted networks until patched.
3. **Disable** the EIMS web tier if business continuity allows using alternate management paths temporarily.

These are **stop-gap** controls; vulnerable code remains exploitable by anyone who can reach the endpoint.

---

## Vendor Response

Dahua published a security bulletin via its support portal:

- **Bulletin:** https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB

Obtain **fixed installers**, release notes, and any interim guidance from that bulletin or authorized Dahua support channels.

---

## References

| Resource | URL |
|---|---|
| Dahua Support Bulletin | https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB |
| NVD Entry | https://nvd.nist.gov/vuln/detail/CVE-2024-13985 |
| CVE Record | https://vulners.com/cve/CVE-2024-13985 |
| CNVD-2024-17054 | https://www.cnvd.org.cn/flaw/show/CNVD-2024-17054 |
| VulnCheck Advisory | https://www.vulncheck.com/advisories/dahua-eims-rce |
| S4E Tool Reference | https://s4e.io/tools/dahua-eims-remote-code-execution |
| Pentest-Tools Entry | https://pentest-tools.com/vulnerabilities-exploits/dahua-eims-re |
| Nuclei Template (ahisec) | https://github.com/ahisec/nuclei-tps/blob/main/http/vulnerabilit |
| cn-sec.com Write-up | https://cn-sec.com/archives/2554372.html |
| CSDN Analysis | https://blog.csdn.net/weixin_43567873/article/details/136636198 |
| ZoomEye Search | https://www.zoomeye.ai/searchResult?q=YXBwPSJEYWh1YSBFSU1TIg== |
| CWE-78 Definition | https://cwe.mitre.org/data/definitions/78.html |
| CVSS 4.0 Specification | https://www.first.org/cvss/v4.0/specification-document |

---

## Disclaimer

This document is an **informational security advisory** compiled from publicly available CVE metadata, vendor bulletins, and industry reporting. It is intended to help defenders understand and prioritize remediation for **CVE-2024-13985**.

- This README **does not** provide weaponized exploit code, copy-paste injection payloads, or step-by-step compromise tutorials.
- Technical analysis of framework behavior is **inferred** where vendor source is unavailable.
- Asset search links are for **authorized inventory** of your own attack surface.
- Apply patches and containment measures through your organization's **change and incident response** procedures.
- The authors are not liable for actions taken based on this document.

**Responsible use:** Test only systems you own or are authorized to assess. Report active exploitation to national CERTs and Dahua support as appropriate.

---

## Document Revision History

| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-07-11 | Initial comprehensive advisory README based on CVE-2024-13985 publication data |

---


  CVE-2024-13985 ยท Dahua EIMS ยท CVSS 4.0 10.0 CRITICAL ยท CWE-78 ยท capture_handle.action