CVE-2021-33045
published 2021-09-15CVE-2021-33045: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-11
Exploited in the wild
EPSS
99.56%
99.9th percentile
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dahuasecurity | ipc-hum7xxx_firmware | < 2.820.0000000.5.r.210705 | 2.820.0000000.5.r.210705 |
| dahuasecurity | ipc-hx3xxx_firmware | < 2.800.0000000.29.r.210630 | 2.800.0000000.29.r.210630 |
| dahuasecurity | ipc-hx5xxx_firmware | < 2.820.0000000.5.r.210705 | 2.820.0000000.5.r.210705 |
| dahuasecurity | nvr-1xxx_firmware | < 4.001.0000005.1.r.210709 | 4.001.0000005.1.r.210709 |
| dahuasecurity | nvr-2xxx_firmware | < 4.001.0000000.1.r.210710 | 4.001.0000000.1.r.210710 |
| dahuasecurity | nvr-4xxx_firmware | < 4.001.0000005.1.r.210713 | 4.001.0000005.1.r.210713 |
| dahuasecurity | nvr-5xxx_firmware | < 4.001.0000000.0.r.210710 | 4.001.0000000.0.r.210710 |
| dahuasecurity | nvr-6xx_firmware | < 4.001.0000001.1.r.210716 | 4.001.0000001.1.r.210716 |
| dahuasecurity | vth-542xh_firmware | < 4.500.0000002.0.r.210715 | 4.500.0000002.0.r.210715 |
| dahuasecurity | vto-65xxx_firmware | < 4.300.0000004.0.r.210715 | 4.300.0000004.0.r.210715 |
| dahuasecurity | vto-75x95x_firmware | < 4.300.0000003.0.r.210714 | 4.300.0000003.0.r.210714 |
| dahuasecurity | xvr-4x04_firmware | < 4.001.0000001.1.r.210709 | 4.001.0000001.1.r.210709 |
| dahuasecurity | xvr-4x08_firmware | < 4.001.0000001.1.r.210709 | 4.001.0000001.1.r.210709 |
| dahuasecurity | xvr-5x04_firmware | < 4.001.0000003.1.r.210710 | 4.001.0000003.1.r.210710 |
| dahuasecurity | xvr-5x08_firmware | < 4.001.0000003.1.r.210710 | 4.001.0000003.1.r.210710 |
| dahuasecurity | xvr-5x16_firmware | < 4.001.0000003.1.r.210710 | 4.001.0000003.1.r.210710 |
| dahuasecurity | xvr-7x16_firmware | < 4.001.0000003.1.r.210710 | 4.001.0000003.1.r.210710 |
| dahuasecurity | xvr-7x32_firmware | < 4.001.0000003.1.r.210710 | 4.001.0000003.1.r.210710 |
Detection & IOCsextracted from sources · hover to see the quote
command{"method": "global.login", "params": {"userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Plain", "password": "admin"}, "id": 1, "session": 0}
snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)"; flow:established,to_server; content:"|20 00 00 00|DHIP"; startswith; fast_pattern; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; reference:cve,2021-33045; classtype:attempted-admin; sid:2068365; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33045, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|20 00 00 00|DHIP
- →Exploit targets POST /RPC2_Login with a JSON body specifying loginType=Loopback and clientType=Local and ipAddr=127.0.0.1 to spoof a loopback device and bypass authentication
- →Successful exploitation returns HTTP 200 with a JSON body containing 'session', 'result':true, and 'keepAliveInterval' fields — match all three to confirm authentication bypass
- →DHIP protocol traffic (TCP) starting with bytes 20 00 00 00 followed by the ASCII string DHIP is the binary framing used by the exploit; presence of this pattern alongside Loopback/Local login parameters indicates an active exploitation attempt
- →CVE-2021-33045 is listed as actively exploited by Russian military cyber actors (Unit 29155) targeting critical infrastructure; prioritize detection on perimeter-facing Dahua IPC/VTH/VTO devices
- →Vulnerability is triggered when the loopback device is specified by the client during authentication — monitor for any external source IP submitting loginType=Loopback or clientType=Local to /RPC2_Login
- ·The Snort/ET rule targets plaintext TCP traffic only (tls_state plaintext); encrypted DHIP sessions will not be detected by this signature
- ·The nuclei template sends a single HTTP request (max-request: 1) and relies on response body matching; defenders should ensure HTTP response logging is enabled on proxies/WAFs in front of Dahua devices to capture the confirming response fields
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9vwj-hj2h-whjq: The identity authentication bypass vulnerability found in some Dahua products during the login process
ghsa_unreviewed·2022-05-24
CVE-2021-33045 [CRITICAL] CWE-287 GHSA-9vwj-hj2h-whjq: The identity authentication bypass vulnerability found in some Dahua products during the login process
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
VulnCheck
Dahua IP Camera Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-33045 [CRITICAL] CWE-287 Dahua IP Camera Authentication Bypass Vulnerability
Dahua IP Camera Authentication Bypass Vulnerability
Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.
Affected: Dahua IP Camera Firmware
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/encyclopedia/ips/56500; https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a; https://www.cisa.gov/sites/default/files/2024-11/aa24-317a-2023-top-routinely-exploited-vulnerabilities.pdf; https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/2023-top-rou
CISA
Dahua IP Camera Authentication Bypass Vulnerability
cisa·2024-08-21·CVSS 9.8
CVE-2021-33045 [CRITICAL] CWE-287 Dahua IP Camera Authentication Bypass Vulnerability
Vulnerability: Dahua IP Camera Authentication Bypass Vulnerability
Affected: Dahua IP Camera Firmware
Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.dahuasecurity.com/aboutUs/trustedCenter/details/582; https://nvd.nist.gov/vuln/detail/CVE-2021-33045
Remediation Due Date: 2024-09-11
Suricata
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)"; flow:established,to_server; content:"|20 00 00 00|DHIP"; startswith; fast_pattern; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; reference:cve,2021-33045; classtype:attempted-admin; sid:2068365; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33045, deployment P
Nuclei
Dahua IPC/VTH/VTO - Authentication Bypass
nuclei·CVSS 9.8
CVE-2021-33045 [CRITICAL] Dahua IPC/VTH/VTO - Authentication Bypass
Dahua IPC/VTH/VTO - Authentication Bypass
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Template:
id: CVE-2021-33045
info:
name: Dahua IPC/VTH/VTO - Authentication Bypass
author: phantomowl
severity: critical
description: |
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
impact: |
Unauthenticated attackers can bypass device authentication by constructing malicious login packets, gaining full administrative access to Dahua IPC/VTH/VTO devices.
remediation: |
Apply firmware updates provided by D
Tenable
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
blogs_tenable·2024-09-13
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
11th October – Threat Intelligence Report
blogs_checkpoint·2021-10-11·CVSS 9.8
CVE-2021-26084 [CRITICAL] 11th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
UK newspaper & Media outlet The Telegraph has accidently leaked 10 TB of subscribers’ data after leaving an Elasticsearch cluster unsecured. Leakage includes internal logs, names, emails, device type, URL requests, IP addresses, authentication tokens & unique reader identifiers.
Twitch source code and users’ sensitive da
http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2021/Oct/13https://www.dahuasecurity.com/support/cybersecurity/details/957http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2021/Oct/13https://www.dahuasecurity.com/support/cybersecurity/details/957https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-33045
2021-09-15
Published
2024-08-21
Added to CISA KEV
Exploited in the wild