cbcvebase.
CVE-2019-3948
published 2019-07-29

CVE-2019-3948: The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and…

PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
26.70%
97.8th percentile
The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and potentionally listen to the audio of the capturing device.

Affected

12 ranges
VendorProductVersion rangeFixed in
amcrestip2m-841b_firmware
dahuadh-ipc-hx863x< 2018-05-182018-05-18
dahuadh-ipc-hx883x< 2018-05-182018-05-18
dahuadh-sd4xxxxx< 2018-05-182018-05-18
dahuadh-sd5xxxxx< 2018-05-182018-05-18
dahuadh-sd6xxxxx< 2018-05-182018-05-18
dahuaipc-hx4x3x< 2018-05-182018-05-18
dahuaipc-hx5x3x< 2018-05-182018-05-18
dahuaipc-xxbxx< 2018-05-182018-05-18
dahuanvr2xxx-4ks2< 2018-05-182018-05-18
dahuanvr4xxx-4ks2< 2018-05-182018-05-18
dahuanvr5xxx-4ks2< 2018-05-182018-05-18

Detection & IOCsextracted from sources · hover to see the quote

url/videotalk
commandGET /videotalk HTTP/1.1
port37777
bytes
\xa0\x00\x00\x60\x00\x00\x00\x00\xc4\xa3\xaf\x48\x99\x56\xb6\xb4\x7e\x48\xc4\x86\x90\x98\x54\xf3\x05\x02\x00\x01\x00\x00\xa1\xaa
bytes
dhavp\x01\x00\x00
  • Monitor for unauthenticated HTTP GET requests to the /videotalk endpoint on Amcrest/Dahua IP cameras; any request to this path requires no credentials and immediately streams live audio.
  • Detect DHAV audio stream framing in TCP payloads: look for the 4-byte magic 'DHAV' in the stream header and the 8-byte trailer 'dhavp\x01\x00\x00' to identify active exploitation of the unauthenticated audio endpoint.
  • Alert on TCP connections to port 37777 on Dahua/Amcrest devices that send the known admin:01testit credential hash bytes (login replay attack, CVE-2017-7927 variant); the fixed 32-byte login packet starts with \xa0\x00\x00\x60.
  • Use the Shodan dork html:"@WebVersion@" to identify internet-exposed Amcrest/Dahua camera web interfaces that may be vulnerable.
  • HTTP responses from the /videotalk endpoint will return '200 OK' with a continuous DHAV-framed audio stream; a payload length of 368 bytes per frame is characteristic of this stream.
  • ·The login replay attack against TCP/37777 only succeeds when the user's password is exactly 8 characters long; longer passwords are not affected by this specific hash-replay variant.
  • ·The ffplay decoding command assumes the camera is using default audio encoding (A-law, 8kHz, mono); non-default encoding settings will require different decode parameters.
  • ·The /videotalk unauthenticated audio streaming vulnerability affects multiple Dahua OEM product lines beyond just Amcrest, including Dahua IPC, DH-IPC, DH-SD, and NVR series devices across several firmware versions.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.