CVE-2013-6117
published 2014-07-11CVE-2013-6117: Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change…
PriorityP183high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.71%
99.3th percentile
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dahuasecurity | camera_firmware | — | — |
| dahuasecurity | dvr_firmware | — | — |
| dahuasecurity | dvr_firmware | — | — |
| dahuasecurity | nvr_firmware | — | — |
| dahuasecurity | smartpss_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xa1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xb1\x00\x00\x58\x00\x00\x00\x00
bytes↗
\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa6\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa4\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\x60\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
- →Detect unauthenticated probes against Dahua DVR administrative service by monitoring for the 32-byte discovery packet starting with \xa1\x00 on TCP/37777, followed by the expected 8-byte DVR response \xb1\x00\x00\x58\x00\x00\x00\x00. ↗
- →Alert on unauthenticated binary protocol commands sent to TCP/37777 — specifically packets beginning with \xa3, \xa4, \xa6, \xa8, or \x60 opcodes — which correspond to config-read and log-clear commands requiring no prior authentication. ↗
- →Flag presence of known Dahua DVR default password hashes (4WzwxXxM for '888888', sh15yfFM for '666666', 6QNMIQGe for 'admin') in network traffic or credential stores, indicating use of default credentials on vulnerable devices. ↗
- →Monitor for the Metasploit auxiliary module 'auxiliary/scanner/misc/dahua_dvr_auth_bypass' being loaded or executed, which automates unauthenticated credential and config extraction from Dahua DVRs. ↗
- →Detect ActiveX instantiation of 'webrec.cab' in browser environments, which communicates over the unauthenticated binary protocol on TCP/37777. ↗
- ·The vulnerable administrative service runs on TCP/37777 by default but the port is configurable; scanning only the default port may miss reconfigured instances. ↗
- ·SMTP, NAS, and DDNS credentials are stored and transmitted in cleartext by the device, meaning credential exposure does not require decryption. ↗
- ·The device also listens on telnet by default with a static, publicly known root password (CVE-2013-3612), providing an additional unauthenticated access vector beyond TCP/37777. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f492-fgmp-2462: Dahua DVR 2
ghsa_unreviewed·2022-05-17
CVE-2013-6117 [HIGH] CWE-287 GHSA-f492-fgmp-2462: Dahua DVR 2
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.
GHSA
GHSA-f8hh-555p-7c36: An issue was discovered on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2017-6342 [HIGH] CWE-269 GHSA-f8hh-555p-7c36: An issue was discovered on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3
An issue was discovered on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19. When SmartPSS Software is launched, while on the login screen, the software in the background automatically logs in as admin. This allows sniffing sensitive information identified in CVE-2017-6341 without prior knowledge of the password. This is a different vulnerability than CVE-2013-6117.
GHSA
GHSA-mq4w-63hh-gh6j: The web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2017-6343 [HIGH] CWE-287 GHSA-mq4w-63hh-gh6j: The web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3
The web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 allows remote attackers to obtain login access by leveraging knowledge of the MD5 Admin Hash without knowledge of the corresponding password, a different vulnerability than CVE-2013-6117.
GHSA
GHSA-h4vw-6v48-gcvv: Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2017-6341 [HIGH] CWE-319 GHSA-h4vw-6v48-gcvv: Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3
Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 send cleartext passwords in response to requests from the Web Page, Mobile Application, and Desktop Application interfaces, which allows remote attackers to obtain sensitive information by sniffing the network, a different vulnerability than CVE-2013-6117.
VulnCheck
dahuasecurity dvr Improper Authentication
vulncheck·2013·CVSS 7.5
CVE-2013-6117 [HIGH] dahuasecurity dvr Improper Authentication
dahuasecurity dvr Improper Authentication
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.
Affected: dahuasecurity dvr
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf
Exploit PoC: https://vulncheck.com/xdb/352b3a12c3fd
No detection rules found.
Exploit-DB
Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit)
exploitdb·2013-11-18·CVSS 7.5
CVE-2013-6117 [HIGH] Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit)
Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit)
---
Dahua DVR Authentication Bypass - CVE-2013-6117
--Summary--
Dahua web-enabled DVRs and rebranded versions do not enforce authentication on their administrative services.
# Zhejiang Dahua Technology Co., Ltd.
# http://www.dahuasecurity.com
--Affects--
# Dahua web-enabled DVRs
# Dahua-rebranded web-enabled DVRs
# Verified on v2.608.0000.0 and 2.608.GV00.0
--Details--
Dahua web-enabled DVRs utilize fat-client utilities like PSS, mobile client interfaces like iDMSS, and an ActiveX control, "webrec.cab" for browser-based access. These clients communicate with an administrative service which runs on TCP port 37777 by default and can be changed. At least in the case of the ActiveX control, a simple binary protoc
Metasploit
auxiliary/scanner/misc/dahua_dvr_auth_bypass
metasploit
auxiliary/scanner/misc/dahua_dvr_auth_bypass
Scans for Dahua-based DVRs and then grabs settings. Optionally resets a user's password and clears the device logs
No writeups or analysis indexed.
http://blog.depthsecurity.com/2013/11/dahua-dvr-authentication-bypass-cve.htmlhttp://packetstormsecurity.com/files/124022/Dahua-DVR-Authentication-Bypass.htmlhttp://seclists.org/bugtraq/2013/Nov/62http://www.exploit-db.com/exploits/29673http://www.osvdb.org/99783http://blog.depthsecurity.com/2013/11/dahua-dvr-authentication-bypass-cve.htmlhttp://packetstormsecurity.com/files/124022/Dahua-DVR-Authentication-Bypass.htmlhttp://seclists.org/bugtraq/2013/Nov/62http://www.exploit-db.com/exploits/29673http://www.osvdb.org/99783
2014-07-11
Published
Exploited in the wild