Share
## https://sploitus.com/exploit?id=C39C5977-D322-54D2-9B0F-D997C82C40B1
# CVE-2024-13985 โ Dahua EIMS `capture_handle.action` Remote Code Execution
[](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
[](#attack-prerequisites)
[](#attack-prerequisites)
[](#vulnerability-timeline)
> **Advisory type:** Vendor-coordinated security disclosure ยท **Active exploitation reported**
> **CVE ID:** [CVE-2024-13985](https://vulners.com/cve/CVE-2024-13985)
> **CNVD ID:** [CNVD-2024-17054](https://www.cnvd.org.cn/flaw/show/CNVD-2024-17054)
> **Vendor:** Zhejiang Dahua Technology Co., Ltd.
> **Product:** EIMS (Enterprise Information Management System)
> **Published:** 2025-08-27T21:23:37 UTC
> **Last Modified:** 2026-05-15T11:14:33 UTC
> **Source:** [Dahua Support Bulletin](https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB)
---
## Table of Contents
- [Executive Summary](#executive-summary)
- [At a Glance](#at-a-glance)
- [Relationship to Other Dahua CVEs](#relationship-to-other-dahua-cves)
- [Vulnerability Timeline](#vulnerability-timeline)
- [Description](#description)
- [Technical Analysis](#technical-analysis)
- [Affected Products](#affected-products)
- [CVSS Scoring](#cvss-scoring)
- [Vulnerability Scoring Details](#vulnerability-scoring-details)
- [CWE Classification](#cwe-classification)
- [Attack Prerequisites](#attack-prerequisites)
- [Exploitation Scenarios](#exploitation-scenarios)
- [Impact Assessment](#impact-assessment)
- [Asset Discovery](#asset-discovery)
- [Detection and Indicators of Compromise](#detection-and-indicators-of-compromise)
- [Mitigation and Remediation](#mitigation-and-remediation)
- [Workarounds](#workarounds)
- [Vendor Response](#vendor-response)
- [References](#references)
- [Disclaimer](#disclaimer)
- [Document Revision History](#document-revision-history)
---
## Executive Summary
A **critical, unauthenticated remote code execution vulnerability** exists in **Dahua EIMS (Enterprise Information Management System)** versions **prior to 2240008**. The flaw is a **command injection** in the HTTP endpoint **`capture_handle.action`**, where the **`captureCommand`** parameter is passed to an underlying OS command executor **without authentication, sanitization, or adequate input validation**.
Any remote attacker who can reach the EIMS web interface can send crafted HTTP requests that inject **arbitrary operating-system commands**. Those commands execute in the **server context**, enabling **full system compromise** โ data theft, persistence, lateral movement, ransomware deployment, and disruption of dependent physical-security workflows.
The vulnerability receives the **maximum CVSS 4.0 base score of 10.0 (CRITICAL)** with **High** impact across confidentiality, integrity, and availability on both the **vulnerable system** and **subsequent systems** (`VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`). **Exploitation evidence has been observed in the wild.**
EIMS is an **enterprise back-end platform**, not a field IPC camera. Compromise typically affects **central management, access control integrations, and organizational data** rather than a single sensor. Treat internet-exposed or VLAN-reachable EIMS instances as **emergency patch priority**.
---
## At a Glance
| Field | Value |
|---|---|
| **CVE ID** | CVE-2024-13985 |
| **CNVD ID** | CNVD-2024-17054 |
| **Vendor** | Zhejiang Dahua Technology Co., Ltd. |
| **Product** | **EIMS** (Enterprise Information Management System) |
| **Vulnerability Type** | OS Command Injection โ Remote Code Execution |
| **Vulnerable Endpoint** | `capture_handle.action` |
| **Vulnerable Parameter** | `captureCommand` |
| **Attack Vector** | Network |
| **Authentication Required** | **No** |
| **User Interaction Required** | **No** |
| **Privileges Required** | **None** |
| **CVSS Version** | 4.0 |
| **CVSS Base Score** | **10.0 โ CRITICAL** |
| **CVSS Vector** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H` |
| **CWE** | CWE-78 (OS Command Injection) |
| **Remotely Exploitable** | Yes |
| **Affected Versions** | **All versions < 2240008** |
| **Fixed Version** | **2240008** and later |
| **Published Date** | 2025-08-27 |
| **Last Modified** | 2026-05-15 |
| **Exploitation in the Wild** | **Yes** (reported) |
---
## Relationship to Other Dahua CVEs
This repository also documents **field-device** advisories from Dahua's 2026 PSI batch. CVE-2024-13985 is a **separate product line** with a **far higher severity profile**.
| Attribute | CVE-2024-13985 (this advisory) | [CVE-2026-29116](../CVE-2026-29116/README.md) | [CVE-2026-29115](../CVE-2026-29115/README.md) | [CVE-2026-29114](../CVE-2026-29114/README.md) |
|---|---|---|---|---|
| **Product** | **EIMS server** | IPC/NVR/etc. | IPC/SD | IPC |
| **CVSS 4.0** | **10.0 CRITICAL** | 8.7 HIGH | 6.9 MEDIUM | 2.3 LOW |
| **Auth** | **None** | None | High privileges | None |
| **Primary Impact** | **Full RCE** | DoS (reboot) | DoS (reboot) | CA cert exposure |
| **CWE** | **CWE-78** | CWE-617 | CWE-617 | CWE-538 |
| **In-the-wild** | **Yes** | Not stated | Not stated | Not stated |
**Defender takeaway:** Patching cameras does **not** remediate EIMS. Inventory **application servers** running Dahua enterprise software independently.
---
## Vulnerability Timeline
| Date | Event |
|---|---|
| **โค 2024** | Vulnerable EIMS releases deployed in enterprise environments |
| **2024** | Vulnerability discovered / reported (CVE year 2024) |
| **2024** | CNVD-2024-17054 assigned (China National Vulnerability Database) |
| **2025-08-27T21:23:37 UTC** | CVE-2024-13985 published to NVD/CVE.org |
| **2025โ2026** | Public scanners, PoC discussions, and nuclei templates circulate |
| **Post-publication** | **Exploitation evidence observed in the wild** |
| **2026-05-15T11:14:33 UTC** | NVD record last modified |
| **Ongoing** | Internet-exposed EIMS instances remain high-value targets |
---
## Description
Dahua **EIMS** provides enterprise-level information management capabilities used in integrated security and building-management deployments. A network-facing servlet or action handler exposed at **`capture_handle.action`** accepts a parameter named **`captureCommand`**.
### Failure Mode
The application treats `captureCommand` as input to a **host operating system command** (directly or via a shell wrapper) without:
- Requiring an authenticated session
- Validating allowed character sets or command vocabulary
- Escaping shell metacharacters
- Using safe APIs (e.g., parameterized process invocation with fixed executable and argument array)
An unauthenticated attacker submits crafted HTTP requests containing command injection payloads in `captureCommand`. The server **executes attacker-controlled OS commands** with the privileges of the EIMS application process โ typically a privileged service account on Windows or Linux hosts.
### Consequences
Successful exploitation leads to:
| Outcome | Detail |
|---|---|
| **Remote Code Execution** | Arbitrary binaries, scripts, or shell commands |
| **Full system compromise** | File read/write, user creation, service manipulation |
| **Lateral movement** | Pivot from EIMS host into AD, databases, camera VLANs |
| **Data exfiltration** | Access to EIMS-managed enterprise records |
| **Service disruption** | Stop EIMS, wipe data, deploy ransomware |
| **Supply-chain positioning** | Backdoor software update or device provisioning channels |
---
## Technical Analysis
### Endpoint and Parameter
| Component | Value |
|---|---|
| **HTTP path** | `capture_handle.action` |
| **Parameter** | `captureCommand` |
| **Protocol** | HTTP/HTTPS (deployment-dependent) |
| **Auth gate** | **Absent** (unauthenticated reachability) |
The `.action` suffix is characteristic of **Apache Struts2** or Struts-style Java MVC frameworks commonly used in enterprise Java web applications. While the vendor bulletin describes **command injection** rather than naming the framework, defenders should inspect EIMS deployments for **Java web containers** (Tomcat, etc.) and **reverse proxies** forwarding to that endpoint.
### CWE-78 โ OS Command Injection Mechanics
[CWE-78](https://cwe.mitre.org/data/definitions/78.html) arises when application code concatenates untrusted input into commands interpreted by `/bin/sh`, `cmd.exe`, or equivalent:
```
# Conceptual vulnerable pattern (pseudocode โ not vendor source)
Runtime.exec("capture-tool " + captureCommand);
# or
ProcessBuilder("sh", "-c", "capture-tool " + captureCommand);
```
Shell metacharacters (`;`, `|`, `&`, `` ` ``, `$()`, `&&`, `||`, newlines) allow **command termination** and **arbitrary secondary commands**.
### Why CVSS 10.0 Is Warranted
Every CVSS 4.0 impact metric in the published vector is **High**, including **subsequent system** impacts:
| Property | Value | Implication |
|---|---|---|
| `AV:N` | Network | WAN exploitation possible |
| `AC:L` | Low complexity | Single crafted HTTP request |
| `AT:N` | No special attack requirements | Default deployment exploitable |
| `PR:N` | No privileges | No account needed |
| `UI:N` | No user interaction | Fully automated exploitation |
| `VC/VI/VA:H` | Full CIA on EIMS host | Complete compromise |
| `SC/SI/SA:H` | Subsequent systems High | EIMS is a central integration hub |
This is among the most severe published scores possible under CVSS 4.0.
### EIMS Architecture Context (Operational)
EIMS typically sits **centralized** in the security architecture:
```
[Internet / WAN] โโ?โโ> [EIMS Application Server]
โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ
โผ โผ โผ
[Directory] [Access DB] [Device APIs]
โ โ โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโ
โ
[Cameras / Doors / Alarms]
```
Compromise at the EIMS layer is **architecturally worse** than compromising a single IPC โ it is a **control plane** breach.
### Public Exploitation Ecosystem
Multiple public sources reference this flaw (see [References](#references)):
- Vendor bulletin on `support.dahuatech.com`
- CNVD and NVD entries
- Community write-ups (cn-sec.com, CSDN)
- Scanner templates (Nuclei, Pentest-Tools, VulnCheck, S4E)
The presence of **scanner signatures** and **in-the-wild exploitation** means opportunistic mass exploitation is an **immediate realistic threat**, not a theoretical research concern.
---
## Affected Products
### Vendor Summary
| # | Vendor | Product | Version Constraint |
|---|---|---|---|
| 1 | Zhejiang Dahua Technology Co., Ltd. | **EIMS** | All versions **< 2240008** |
| 2 | Zhejiang Dahua Technology Co., Ltd. | **EIMS** | Version **0** (baseline / all branches prior to fix) |
**Totals:** 1 affected vendor ยท 1 affected product (EIMS)
### Fixed Version
| Status | Version |
|---|---|
| **Vulnerable** | `< 2240008` |
| **Fixed** | **`2240008` and later** |
### Version Identification
Operators should record:
1. EIMS **build or package version** from the admin UI or installer manifest
2. Installed **patch level** from Dahua support portal entitlements
3. Host OS and deployment topology (standalone vs. clustered)
If version enumeration is unavailable, **assume vulnerable** until confirmed patched.
### What EIMS Is Not
| Product | Relationship |
|---|---|
| IPC / SD cameras | Different firmware; not covered by this CVE |
| NVR / XVR appliances | Embedded devices; separate CVEs |
| DMSS mobile app | Client software; not EIMS server |
| DSS / other VMS | Distinct products โ verify separately |
---
## CVSS Scoring
### Summary
| Score | Version | Severity | Vector |
|---|---|---|---|
| **10.0** | **4.0** | **CRITICAL** | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H` |
### CVSS 4.0 Metric Breakdown
| Metric | Value | Meaning for this CVE |
|---|---|---|
| **AV** | Network (`N`) | Remote exploitation over HTTP |
| **AC** | Low (`L`) | Reliable, low-skill exploitation |
| **AT** | None (`N`) | Default install exploitable |
| **PR** | None (`N`) | Unauthenticated |
| **UI** | None (`N`) | No victim interaction |
| **VC** | High (`H`) | Full read of server-accessible data |
| **VI** | High (`H`) | Full modification capability |
| **VA** | High (`H`) | Service termination / destruction |
| **SC** | High (`H`) | High confidentiality impact on subsequent systems |
| **SI** | High (`H`) | High integrity impact on subsequent systems |
| **SA** | High (`H`) | High availability impact on subsequent systems |
### Maximum Severity Interpretation
A **10.0** under CVSS 4.0 indicates **no compensating metric reduces urgency**. Patching, isolation, or takedown from untrusted networks should be treated as **P0 / emergency**.
---
## Vulnerability Scoring Details
Visual summary of the published CVSS 4.0 selector positions:
### Exploit Characteristics
```
Attack Vector: [Network] Adjacent Local Physical
Attack Complexity: [Low] High
Attack Requirements: [None] Present
Privileges Required: [None] Low High
User Interaction: [None] Passive Active
```
### Impact on Vulnerable System
```
Vuln Confidentiality: None Low [High]
Vuln Integrity: None Low [High]
Vuln Availability: None Low [High]
```
### Subsequent System Impact
```
Subseq Confidentiality: None Low [High]
Subseq Integrity: None Low [High]
Subseq Availability: None Low [High]
```
---
## CWE Classification
| # | CWE ID | Name | Relevance |
|---|---|---|---|
| 1 | **CWE-78** | [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')](https://cwe.mitre.org/data/definitions/78.html) | `captureCommand` passed to OS command execution without neutralization |
### Related Weaknesses (Contextual)
| CWE | Name | Relationship |
|---|---|---|
| CWE-77 | Command Injection (generic) | Parent category |
| CWE-306 | Missing Authentication for Critical Function | Unauthenticated reachability of dangerous handler |
| CWE-20 | Improper Input Validation | Root validation failure |
| CWE-434 | Unrestricted Upload | Possible post-exploitation follow-on, not core CVE |
---
## Attack Prerequisites
| Prerequisite | Required? | Notes |
|---|---|---|
| Valid EIMS credentials | **No** | Unauthenticated |
| Victim user interaction | **No** | Single HTTP request sufficient |
| Prior compromise | **No** | Standalone exploitation |
| Network reachability to EIMS HTTP(S) | **Yes** | `capture_handle.action` accessible |
| Vulnerable version (`< 2240008`) | **Yes** | Patched versions not affected |
| Internet exposure | **Not required** | LAN/WAN/VPN reachable instances equally at risk |
**Remotely Exploitable:** **Yes**
---
## Exploitation Scenarios
### Scenario 1 โ Internet-Exposed EIMS (Shodan / ZoomEye)
Attackers enumerate `app="Dahua EIMS"` hosts on internet scan engines, deliver command injection to `capture_handle.action`, deploy webshell or reverse shell, and exfiltrate enterprise security databases.
### Scenario 2 โ Ransomware Operator Mass Campaign
Automated scanners identify vulnerable instances. Attackers encrypt EIMS host and connected file shares, demanding ransom while physical access control and visitor management integrations are offline.
### Scenario 3 โ Lateral Movement from Perimeter Breach
An attacker compromises a DMZ web server, pivots to an internally reachable EIMS instance on a shared management VLAN, and uses EIMS credentials/API keys stored on the host to interact with downstream door controllers and cameras.
### Scenario 4 โ Insider-Less Espionage
Nation-state or criminal actors silently exfiltrate personnel access logs, visitor records, and building maps without rebooting services โ maintaining long-term persistence via cron/systemd backdoors.
### Scenario 5 โ Supply Chain / Integrator MSP
A managed service provider hosts one EIMS instance for dozens of customers. Single compromise affects **all tenants** on that server โ a concentrated catastrophic failure.
---
## Impact Assessment
### Technical Impact
| Domain | Rating | Detail |
|---|---|---|
| Confidentiality | **High** | Full filesystem and DB read access typical |
| Integrity | **High** | Arbitrary file write, config tampering, backdoors |
| Availability | **High** | Kill process, wipe data, ransomware |
| Subsequent systems | **High** | Integration credentials enable downstream abuse |
### Business Impact
| Sector | Consequence |
|---|---|
| **Corporate campuses** | Access control bypass, visitor data leak |
| **Government / critical infra** | Control-plane breach across physical security |
| **Healthcare** | HIPAA-relevant access log exposure |
| **Education** | Student/staff safety system manipulation |
| **Integrators / MSPs** | Multi-customer breach from one host |
### Regulatory and Legal Exposure
EIMS compromise may trigger:
- Breach notification obligations (GDPR, state privacy laws, etc.)
- Critical infrastructure reporting in regulated sectors
- Contractual SLA penalties with physical security customers
---
## Asset Discovery
### ZoomEye Query
| Platform | Query | Link |
|---|---|---|
| **ZoomEye** | `app="Dahua EIMS"` | [Search on ZoomEye](https://www.zoomeye.ai/searchResult?q=YXBwPSJEYWh1YSBFSU1TIg==) |
### Defensive Inventory (Authorized Only)
| Method | Action |
|---|---|
| **CMDB / license records** | List all EIMS installs and versions |
| **VM inventory** | Search for Dahua EIMS packages on application servers |
| **Reverse proxy configs** | Identify upstreams routing to `capture_handle.action` |
| **Vulnerability scanners** | Run vendor-approved checks using published signatures |
| **Internet attack surface** | Compare ZoomEye results against owned public IPs |
> Only scan assets you own or are explicitly authorized to test.
---
## Detection and Indicators of Compromise
### Network Indicators
- HTTP `GET`/`POST` to **`/capture_handle.action`** or path suffix match
- Requests containing **`captureCommand=`** with shell metacharacters or encoded equivalents (`%3B`, `%7C`, `%26`, `%24`, `` %60 ``, `%0A`)
- Spike in **4xx/5xx** responses followed by **new outbound connections** from EIMS host
- Unexpected **DNS queries** or **beaconing** from application server after anomalous HTTP
### Host Indicators
- New **cron jobs**, **scheduled tasks**, or **systemd units** on EIMS server
- Unexpected **web shells** in Tomcat/webapp directories
- **New local users** or **SSH authorized_keys** modifications
- **java** or **tomcat** process spawning `/bin/sh`, `cmd.exe`, `powershell`, `bash`
- Antivirus/EDR alerts on EIMS host correlated with web access logs
### Application Log Patterns
- `capture_handle.action` access from **unfamiliar source IPs**
- **High-frequency** identical requests (scanner behavior)
- Errors in command wrapper utilities immediately after suspicious `captureCommand` values
### Threat Intelligence Feeds
Monitor for:
- CNVD-2024-17054 / CVE-2024-13985 signatures
- Nuclei template matches (public templates exist โ use for **authorized** scanning)
- SIEM rules tagging Dahua EIMS exploit attempts
### Recommended Emergency Queries (SIEM)
```
# Example patterns โ adapt to your log schema
url:"capture_handle.action" AND captureCommand:*
url:"capture_handle.action" AND (captureCommand:*;* OR captureCommand:*|* OR captureCommand:*&*)
```
---
## Mitigation and Remediation
### Primary Remediation โ Upgrade to 2240008+
1. **Inventory** all EIMS deployments and record versions.
2. **Upgrade immediately** to version **2240008** or later from [Dahua Support Bulletin](https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB).
3. **Verify** patch success via version string and absence of exploitable behavior in **authorized** regression tests.
4. **Rotate** all credentials stored on or reachable from the EIMS host (DB, API keys, service accounts, integration passwords).
### Emergency Containment (If Patching Is Delayed)
| Control | Priority | Action |
|---|---|---|
| **Remove internet exposure** | **P0** | Take EIMS offline from WAN immediately |
| **WAF / reverse proxy block** | **P0** | Block `capture_handle.action` at edge |
| **Network ACL** | **P0** | Allow only admin jump-host IPs to EIMS port |
| **Disable vulnerable handler** | P1 | If vendor or integrator provides interim config (confirm with support) |
| **EDR isolation** | P1 | Restrict outbound from EIMS except required integrations |
### Post-Compromise Recovery
If exploitation is suspected:
1. **Isolate** the host from network
2. **Preserve forensic images** before rebuild
3. **Rebuild** from known-good media (not in-place "cleanup" alone)
4. **Rotate** all secrets company-wide that were accessible from EIMS
5. **Review** downstream device configs for unauthorized changes
6. **Report** per organizational IR and regulatory requirements
### Secure Deployment Hardening (Long-Term)
| Practice | Recommendation |
|---|---|
| **Never expose EIMS to internet** | VPN or zero-trust only |
| **Segment** EIMS on dedicated management VLAN |
| **Run with least privilege** | Non-root service account; restricted file permissions |
| **Centralize logging** | Forward HTTP and OS logs to SIEM |
| **Patch cadence** | Treat Dahua enterprise apps like any critical CMDB tier-1 app |
---
## Workarounds
No vendor-sanctioned **permanent** workaround replaces upgrading to **2240008+**. Interim measures:
1. **Block** external access to `capture_handle.action` at the reverse proxy/WAF.
2. **Air-gap** EIMS from untrusted networks until patched.
3. **Disable** the EIMS web tier if business continuity allows using alternate management paths temporarily.
These are **stop-gap** controls; vulnerable code remains exploitable by anyone who can reach the endpoint.
---
## Vendor Response
Dahua published a security bulletin via its support portal:
- **Bulletin:** https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB
Obtain **fixed installers**, release notes, and any interim guidance from that bulletin or authorized Dahua support channels.
---
## References
| Resource | URL |
|---|---|
| Dahua Support Bulletin | https://support.dahuatech.com/bulletin/info?IsDpValue=APKncD%2FB |
| NVD Entry | https://nvd.nist.gov/vuln/detail/CVE-2024-13985 |
| CVE Record | https://vulners.com/cve/CVE-2024-13985 |
| CNVD-2024-17054 | https://www.cnvd.org.cn/flaw/show/CNVD-2024-17054 |
| VulnCheck Advisory | https://www.vulncheck.com/advisories/dahua-eims-rce |
| S4E Tool Reference | https://s4e.io/tools/dahua-eims-remote-code-execution |
| Pentest-Tools Entry | https://pentest-tools.com/vulnerabilities-exploits/dahua-eims-re |
| Nuclei Template (ahisec) | https://github.com/ahisec/nuclei-tps/blob/main/http/vulnerabilit |
| cn-sec.com Write-up | https://cn-sec.com/archives/2554372.html |
| CSDN Analysis | https://blog.csdn.net/weixin_43567873/article/details/136636198 |
| ZoomEye Search | https://www.zoomeye.ai/searchResult?q=YXBwPSJEYWh1YSBFSU1TIg== |
| CWE-78 Definition | https://cwe.mitre.org/data/definitions/78.html |
| CVSS 4.0 Specification | https://www.first.org/cvss/v4.0/specification-document |
---
## Disclaimer
This document is an **informational security advisory** compiled from publicly available CVE metadata, vendor bulletins, and industry reporting. It is intended to help defenders understand and prioritize remediation for **CVE-2024-13985**.
- This README **does not** provide weaponized exploit code, copy-paste injection payloads, or step-by-step compromise tutorials.
- Technical analysis of framework behavior is **inferred** where vendor source is unavailable.
- Asset search links are for **authorized inventory** of your own attack surface.
- Apply patches and containment measures through your organization's **change and incident response** procedures.
- The authors are not liable for actions taken based on this document.
**Responsible use:** Test only systems you own or are authorized to assess. Report active exploitation to national CERTs and Dahua support as appropriate.
---
## Document Revision History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-07-11 | Initial comprehensive advisory README based on CVE-2024-13985 publication data |
---
CVE-2024-13985 ยท Dahua EIMS ยท CVSS 4.0 10.0 CRITICAL ยท CWE-78 ยท capture_handle.action