cbcvebase.
CVE-2017-7925
published 2017-05-06

CVE-2017-7925: A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
52.06%
98.8th percentile
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.

Detection & IOCsextracted from sources · hover to see the quote

path/current_config/passwd
othershodan:http.favicon.hash:2019488876
otherfofa:icon_hash=2019488876
otherregex:1:(.*:.*):1:CtrPanel
yara
contains(to_lower(body), "ugm") AND contains(to_lower(body), "id:name:passwd") AND status_code == 200
  • Send an unauthenticated HTTP GET request to /current_config/passwd on the target device. A vulnerable response will return HTTP 200 and a body containing the strings 'ugm' and 'id:name:passwd', indicating plaintext or weakly encoded credentials are exposed.
  • Extract credentials from the response body using the regex pattern '1:(.*:.*):1:CtrPanel' to capture privileged user password entries from the configuration file.
  • Use Shodan or FOFA to identify exposed Dahua devices via favicon hash 2019488876 as a pre-exploitation reconnaissance step.
  • Successful exploitation allows a malicious user to obtain password hashes from the configuration file and use them to bypass authentication (pass-the-hash), per the companion CVE-2017-7927.
  • ·The vulnerability is unauthenticated and remotely exploitable with low skill level; public exploits are available, making mass exploitation highly likely.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.