Bitdefender researchers have uncovered critical security flaws in Dahua’s Hero C1 (DH-H4C) smart camera series. The vulnerabilities stem from weaknesses in the device’s ONVIF protocol and file upload handlers, allowing unauthenticated attackers to remotely execute arbitrary commands and seize full control of the device. Specifically, the flaws include a stack-based buffer overflow in the ONVIF protocol handler and a [dot]bss segment overflow in the RPC upload handler.
Dahua was notified under responsible disclosure protocols and has since released patches addressing the vulnerabilities.
“Both vulnerabilities are unauthenticated and exploitable over the local network. Devices exposed to the internet through port forwarding or UPnP are especially at risk. Successful exploitation provides root-level access to the camera with no user interaction,” Bitdefender researchers wrote in a blog post this week. “Because the exploit path bypasses firmware integrity checks, attackers can load unsigned payloads or persist via custom daemons, making cleanup difficult.”
They added that the issues were verified on a Dahua Hero C1 (DH-H4C) running firmware version V2.810.9992002.0.R (Build Date: 2024-01-23) with ONVIF version 21.06 and Web UI version V3.2.1.1452137. “This version was confirmed as the latest available when starting our research through the device’s own update interface.”
Other device models that were identified during the vendor’s own audit include IPC-1XXX Series, IPC-2XXX Series, IPC-WX Series, IPC-ECXX Series, SD3A Series, SD2A Series, SD3D Series, SDT2A Series, SD2C Series with firmware versions older than 2025/04/16.
On March 28, this year, Bitdefender shared its findings with the Dahua team through a secure communication channel. The following day, on March 29, Dahua acknowledged receipt and began an internal investigation. By April 1, Dahua had confirmed the vulnerabilities reported by Bitdefender as valid. On April 23, Dahua requested an extension, and Bitdefender agreed to move the public disclosure date to July 23. Dahua released patches addressing the vulnerabilities on July 7 and confirmed its commitment to the coordinated July 23 disclosure. On that date, the report was made public as part of the responsible disclosure process.
Bitdefender detailed that exploitation is possible without prior authentication, and a successful attack results in full code execution. “The proof-of-concept (PoC) developed by researchers shows the attacker writing system commands into memory and then invoking them through carefully crafted return-oriented programming (ROP) chains. The PoC drops an ELF payload using tftp and spawns a bind shell on port 4444 using LD_PRELOAD, bypassing binary signature checks,” the post added.
The second vulnerability exists in the handler for the undocumented endpoint, where the camera copies the Cseq HTTP header directly into a buffer located in the [dot]bss memory section using a flawed ‘strncpy’ implementation. “The variable at 0x03955c38 stores a pointer to a structure that can be overwritten by strncpy. The functions at 0x00586dd4 and 0x00586d18 continuously check this structure for expired sessions.”
The post added that “Because no bounds checking is performed, an attacker can overwrite adjacent global variables, including a structure that stores pointers to session management functions. These are routinely invoked by the firmware to manage timeouts. By planting a crafted structure in memory, the attacker can redirect execution to a call to system(), again resulting in full remote code execution—no authentication needed.”
Bitdefender recommends that users avoid exposing the web interface of vulnerable Dahua camera models to the internet. They should disable UPnP and remove any port forwarding rules that may be in place. It is also advised to isolate the camera on a separate VLAN (virtual local area network) or dedicated IoT network to reduce the risk of lateral movement within the system. Users should closely monitor vendor updates and apply firmware patches as soon as they become available. As of this writing, firmware versions released after April 16, 2025, address the identified vulnerabilities.
Back in 2022, industrial cybersecurity firm Nozomi Networks detailed a vulnerability affecting the implementation of the Open Network Video Interface Forum (ONVIF) ‘WS-UsernameToken’ authentication mechanism in some IP cameras developed by Dahua. Attackers can potentially exploit the security loophole to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.
Threats to infrastructure via smart cameras are nothing new. Just last month, following the Iran-Israel conflict, DomainTools Investigations reported that Iranian cyber operators hijacked Israeli CCTV and smart home cameras to monitor missile strike precision and impact in real time. Since early June, cyberattack activity has surged sharply, hitting sectors across Israel, including energy, defense, agriculture, and municipal systems, and increasingly targeting Western infrastructure as well.
