cbcvebase.
CVE-2021-33044
published 2021-09-15

CVE-2021-33044: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-11
Exploited in the wild
EPSS
99.87%
100.0th percentile
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

Affected

19 ranges
VendorProductVersion rangeFixed in
dahuasecurityipc-hum7xxx_firmware< 2.820.0000000.5.r.2107052.820.0000000.5.r.210705
dahuasecurityipc-hx3xxx_firmware< 2.800.0000000.29.r.2106302.800.0000000.29.r.210630
dahuasecurityipc-hx5xxx_firmware< 2.820.0000000.18.r.2107052.820.0000000.18.r.210705
dahuasecuritysd1a1_firmware< 2.812.0000007.0.r.2107062.812.0000007.0.r.210706
dahuasecuritysd22_firmware< 2.812.0000007.0.r.2107062.812.0000007.0.r.210706
dahuasecuritysd49_firmware< 2.812.0000007.0.r.2107062.812.0000007.0.r.210706
dahuasecuritysd50_firmware< 2.812.0000007.0.r.2107062.812.0000007.0.r.210706
dahuasecuritysd52c_firmware< 2.812.0000007.0.r.2107062.812.0000007.0.r.210706
dahuasecuritysd6al_firmware< 2.812.0000007.0.r.2107062.812.0000007.0.r.210706
dahuasecuritytpc-bf1241_firmware< 2.630.0000000.6.r.2107072.630.0000000.6.r.210707
dahuasecuritytpc-bf2221_firmware< 2.630.0000000.10.r.2107072.630.0000000.10.r.210707
dahuasecuritytpc-bf5x01_firmware< 2.630.0000000.12.r.2107072.630.0000000.12.r.210707
dahuasecuritytpc-bf5x21_firmware< 2.630.0000000.8.r.2106302.630.0000000.8.r.210630
dahuasecuritytpc-pt8x21b_firmware< 2.630.0000000.10.r.2107012.630.0000000.10.r.210701
dahuasecuritytpc-sd2221_firmware<= 2.630.0000000.7.r.210707
dahuasecuritytpc-sd8x21_firmware< 2.630.0000000.9.r.2107062.630.0000000.9.r.210706
dahuasecurityvth-542xh_firmware< 4.500.0000002.0.r.2107154.500.0000002.0.r.210715
dahuasecurityvto-65xxx_firmware< 4.300.0000004.0.r.2107154.300.0000004.0.r.210715
dahuasecurityvto-75x95x_firmware< 4.300.0000003.0.r.2107144.300.0000003.0.r.210714

Detection & IOCsextracted from sources · hover to see the quote

url/RPC2_Login
command{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
port23,26,554,2323,567,5523,8080,9530,56575
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/RPC2_Login"; fast_pattern; http.request_body; content:"|22|method|22 3a|"; content:"|22|global.login|22|"; within:20; content:"|22|params|22 3a|"; content:"|22|userName|22 3a|"; content:"|22|admin|22|"; within:15; content:"|22|password|22 3a|"; content:"|22|loginType|22 3a|"; content:"|22|Direct|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|NetKeyboard|22|"; within:20; content:"|22|authorityType|22 3a|"; content:"|22|Default|22|"; within:15; content:"|22|passwordType|22 3a|"; content:"|22|Default|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; classtype:attempted-admin; sid:2068364; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33044, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
matchers: body contains '"result":true,"session"' AND 'id' AND 'params'; status 200
  • Exploit requests use HTTP POST to /RPC2_Login with clientType set to 'NetKeyboard' and loginType set to 'Direct' — the NetKeyboard clientType argument is the key bypass trigger.
  • A successful bypass response contains the literal string '"result":true,"session"' in the HTTP response body with HTTP 200 status — use this as a confirmation matcher.
  • Iran-nexus actors exploiting CVE-2021-33044 route traffic through commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS infrastructure — VPN egress IPs should be correlated against known commercial VPN ranges when investigating camera login attempts.
  • Monitor for repeated login failures and unexpected remote logins on Dahua camera management interfaces, as well as cameras initiating unusual outbound connections post-compromise.
  • The Nuclei template targets the path /RPC2_Login with a JSON body specifying 'loginType':'Direct' and 'clientType':'NetKeyboard'; session token is extractable via regex '"result":true,"session":"([a-z]+)"}'.
  • ·The bypass only works when the client specifies the 'NetKeyboard' clientType during the login request — other clientType values do not trigger the bypass.
  • ·The password field value is irrelevant to exploitation ('Not Used' is sent in PoC payloads), meaning password-strength controls alone do not mitigate this vulnerability.
  • ·Affected device families include Dahua IPC, VTH, and VTO product lines per the vulnerability disclosure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.