CVE-2025-31702 | THREATINT

Description

A vulnerability exists in certain Dahua embedded products. Third-party malicious attacker with obtained normal user credentials could exploit the vulnerability to access certain data which are restricted to admin privileges, such as system-sensitive files through specific HTTP request. This may cause tampering with admin password, leading to privilege escalation. Systems with only admin account are not affected.

PUBLISHED Reserved 2025-04-01 | Published 2025-10-15 | Updated 2025-10-15 | Assigner dahua

MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

Product status

Default status

unaffected

Affected products include certain models from the IPC-1XXX, IPC-2XXX, IPC-WX, and IPC-ECXX series, and limited to versions which build time prior to 1st July 2025 (not including 1st July 2025).

affected

Default status

unaffected

Affected products include certain models from the SD3A, SD2A, SD3D, SDT2A, and SD2C series, and limited to versions which build time prior to 1st July 2025 (not including 1st July 2025).

affected

References

www.dahuasecurity.com/aboutUs/trustedCenter/details/777

cve.org (CVE-2025-31702)

nvd.nist.gov (CVE-2025-31702)

Download JSON