CVE-2021-33044
published 2021-09-15CVE-2021-33044: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-11
Exploited in the wild
EPSS
99.87%
100.0th percentile
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dahuasecurity | ipc-hum7xxx_firmware | < 2.820.0000000.5.r.210705 | 2.820.0000000.5.r.210705 |
| dahuasecurity | ipc-hx3xxx_firmware | < 2.800.0000000.29.r.210630 | 2.800.0000000.29.r.210630 |
| dahuasecurity | ipc-hx5xxx_firmware | < 2.820.0000000.18.r.210705 | 2.820.0000000.18.r.210705 |
| dahuasecurity | sd1a1_firmware | < 2.812.0000007.0.r.210706 | 2.812.0000007.0.r.210706 |
| dahuasecurity | sd22_firmware | < 2.812.0000007.0.r.210706 | 2.812.0000007.0.r.210706 |
| dahuasecurity | sd49_firmware | < 2.812.0000007.0.r.210706 | 2.812.0000007.0.r.210706 |
| dahuasecurity | sd50_firmware | < 2.812.0000007.0.r.210706 | 2.812.0000007.0.r.210706 |
| dahuasecurity | sd52c_firmware | < 2.812.0000007.0.r.210706 | 2.812.0000007.0.r.210706 |
| dahuasecurity | sd6al_firmware | < 2.812.0000007.0.r.210706 | 2.812.0000007.0.r.210706 |
| dahuasecurity | tpc-bf1241_firmware | < 2.630.0000000.6.r.210707 | 2.630.0000000.6.r.210707 |
| dahuasecurity | tpc-bf2221_firmware | < 2.630.0000000.10.r.210707 | 2.630.0000000.10.r.210707 |
| dahuasecurity | tpc-bf5x01_firmware | < 2.630.0000000.12.r.210707 | 2.630.0000000.12.r.210707 |
| dahuasecurity | tpc-bf5x21_firmware | < 2.630.0000000.8.r.210630 | 2.630.0000000.8.r.210630 |
| dahuasecurity | tpc-pt8x21b_firmware | < 2.630.0000000.10.r.210701 | 2.630.0000000.10.r.210701 |
| dahuasecurity | tpc-sd2221_firmware | <= 2.630.0000000.7.r.210707 | — |
| dahuasecurity | tpc-sd8x21_firmware | < 2.630.0000000.9.r.210706 | 2.630.0000000.9.r.210706 |
| dahuasecurity | vth-542xh_firmware | < 4.500.0000002.0.r.210715 | 4.500.0000002.0.r.210715 |
| dahuasecurity | vto-65xxx_firmware | < 4.300.0000004.0.r.210715 | 4.300.0000004.0.r.210715 |
| dahuasecurity | vto-75x95x_firmware | < 4.300.0000003.0.r.210714 | 4.300.0000003.0.r.210714 |
Detection & IOCsextracted from sources · hover to see the quote
command{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/RPC2_Login"; fast_pattern; http.request_body; content:"|22|method|22 3a|"; content:"|22|global.login|22|"; within:20; content:"|22|params|22 3a|"; content:"|22|userName|22 3a|"; content:"|22|admin|22|"; within:15; content:"|22|password|22 3a|"; content:"|22|loginType|22 3a|"; content:"|22|Direct|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|NetKeyboard|22|"; within:20; content:"|22|authorityType|22 3a|"; content:"|22|Default|22|"; within:15; content:"|22|passwordType|22 3a|"; content:"|22|Default|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; classtype:attempted-admin; sid:2068364; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33044, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
matchers: body contains '"result":true,"session"' AND 'id' AND 'params'; status 200
- →Exploit requests use HTTP POST to /RPC2_Login with clientType set to 'NetKeyboard' and loginType set to 'Direct' — the NetKeyboard clientType argument is the key bypass trigger. ↗
- →A successful bypass response contains the literal string '"result":true,"session"' in the HTTP response body with HTTP 200 status — use this as a confirmation matcher.
- →Iran-nexus actors exploiting CVE-2021-33044 route traffic through commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS infrastructure — VPN egress IPs should be correlated against known commercial VPN ranges when investigating camera login attempts. ↗
- →Monitor for repeated login failures and unexpected remote logins on Dahua camera management interfaces, as well as cameras initiating unusual outbound connections post-compromise. ↗
- →The Nuclei template targets the path /RPC2_Login with a JSON body specifying 'loginType':'Direct' and 'clientType':'NetKeyboard'; session token is extractable via regex '"result":true,"session":"([a-z]+)"}'.
- ·The bypass only works when the client specifies the 'NetKeyboard' clientType during the login request — other clientType values do not trigger the bypass. ↗
- ·The password field value is irrelevant to exploitation ('Not Used' is sent in PoC payloads), meaning password-strength controls alone do not mitigate this vulnerability.
- ·Affected device families include Dahua IPC, VTH, and VTO product lines per the vulnerability disclosure.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h2j4-m7qg-8m4g: The identity authentication bypass vulnerability found in some Dahua products during the login process
ghsa_unreviewed·2022-05-24
CVE-2021-33044 [CRITICAL] CWE-287 GHSA-h2j4-m7qg-8m4g: The identity authentication bypass vulnerability found in some Dahua products during the login process
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
VulnCheck
Dahua IP Camera Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-33044 [CRITICAL] CWE-287 Dahua IP Camera Authentication Bypass Vulnerability
Dahua IP Camera Authentication Bypass Vulnerability
Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.
Affected: Dahua IP Camera Firmware
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-05&host_type=src&vulnerability=cve-2021-33044; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-18&host_type=src&vulnerability=cve-2021-33044; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-24&host_type=src&vulnerability=cve-20
CISA
Dahua IP Camera Authentication Bypass Vulnerability
cisa·2024-08-21·CVSS 9.8
CVE-2021-33044 [CRITICAL] CWE-287 Dahua IP Camera Authentication Bypass Vulnerability
Vulnerability: Dahua IP Camera Authentication Bypass Vulnerability
Affected: Dahua IP Camera Firmware
Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.dahuasecurity.com/aboutUs/trustedCenter/details/582; https://nvd.nist.gov/vuln/detail/CVE-2021-33044
Remediation Due Date: 2024-09-11
Suricata
ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/RPC2_Login"; fast_pattern; http.request_body; content:"|22|method|22 3a|"; content:"|22|global.login|22|"; within:20; content:"|22|params|22 3a|"; content:"|22|userName|22 3a|"; content:"|22|admin|22|"; within:15; content:"|22|password|22 3a|"; content:"|22|loginType|22 3a|"; content:"|22|Direct|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|NetKeyboard|22|"; within:20; content:"|22|authorityType|22 3a|"; content:"|22|Default|22|"; within:15; content:"|22|passwordType|2
Suricata
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)"; flow:established,to_server; content:"|20 00 00 00|DHIP"; startswith; fast_pattern; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; reference:cve,2021-33045; classtype:attempted-admin; sid:2068365; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33045, deployment P
Suricata
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/RPC2_Login"; fast_pattern; http.request_body; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; classtype:attempted-admin; sid:2068366; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE
Suricata
ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33044)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33044)
ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33044)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33044)"; flow:established,to_server; content:"|20 00 00 00|DHIP"; startswith; fast_pattern; content:"|22|method|22 3a|"; content:"|22|global.login|22|"; within:20; content:"|22|params|22 3a|"; content:"|22|userName|22 3a|"; content:"|22|admin|22|"; within:15; content:"|22|password|22 3a|"; content:"|22|loginType|22 3a|"; content:"|22|Direct|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|NetKeyboard|22|"; within:20; content:"|22|authorityType|22 3a|"; content:"|22|Default|22|"; within:15; content:"|22|passwordType|22 3a|"; content:"|22|Default|22|"; within:15; refer
Nuclei
Dahua IPC/VTH/VTO - Authentication Bypass
nuclei·CVSS 9.8
CVE-2021-33044 [CRITICAL] Dahua IPC/VTH/VTO - Authentication Bypass
Dahua IPC/VTH/VTO - Authentication Bypass
Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Template:
id: CVE-2021-33044
info:
name: Dahua IPC/VTH/VTO - Authentication Bypass
author: gy741
severity: critical
description: Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
impact: |
An attacker can gain unauthorized access to the device, potentially compromising the security and privacy of the system.
remediation: |
Apply the latest firmware update provided by Dahua to fix the authentication bypass vulnerability.
reference:
- https://github.com/dorker
Tenable
Iranian-linked actors are engaging in disruptive attacks
blogs_tenable·2026-03-11
Iranian-linked actors are engaging in disruptive attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
blogs_checkpoint·2026-03-04
CVE-2017-7921 Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
## Key Findings
During the ongoing conflict, we identified intensified targeting of IP cameras f
Tenable
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
blogs_tenable·2025-01-03
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
blogs_bleepingcomputer·2024-12-16·CVSS 9.8
[CRITICAL] FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## Sergiu Gatlan
The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.
As a private industry notification (PIN) published on Monday explains, the attackers focus their attacks on Chinese-branded devices that are still waiting for security patches or have already reached the end of life.
"In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom," the FBI said . "The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak
Tenable
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
blogs_tenable·2024-09-13
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
11th October – Threat Intelligence Report
blogs_checkpoint·2021-10-11·CVSS 9.8
CVE-2021-26084 [CRITICAL] 11th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
UK newspaper & Media outlet The Telegraph has accidently leaked 10 TB of subscribers’ data after leaving an Elasticsearch cluster unsecured. Leakage includes internal logs, names, emails, device type, URL requests, IP addresses, authentication tokens & unique reader identifiers.
Twitch source code and users’ sensitive da
http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2021/Oct/13https://www.dahuasecurity.com/support/cybersecurity/details/957http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2021/Oct/13https://www.dahuasecurity.com/support/cybersecurity/details/957https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-33044
2021-09-15
Published
2024-08-21
Added to CISA KEV
Exploited in the wild