cbcvebase.
CVE-2021-33045
published 2021-09-15

CVE-2021-33045: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-11
Exploited in the wild
EPSS
99.56%
99.9th percentile
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

Affected

18 ranges
VendorProductVersion rangeFixed in
dahuasecurityipc-hum7xxx_firmware< 2.820.0000000.5.r.2107052.820.0000000.5.r.210705
dahuasecurityipc-hx3xxx_firmware< 2.800.0000000.29.r.2106302.800.0000000.29.r.210630
dahuasecurityipc-hx5xxx_firmware< 2.820.0000000.5.r.2107052.820.0000000.5.r.210705
dahuasecuritynvr-1xxx_firmware< 4.001.0000005.1.r.2107094.001.0000005.1.r.210709
dahuasecuritynvr-2xxx_firmware< 4.001.0000000.1.r.2107104.001.0000000.1.r.210710
dahuasecuritynvr-4xxx_firmware< 4.001.0000005.1.r.2107134.001.0000005.1.r.210713
dahuasecuritynvr-5xxx_firmware< 4.001.0000000.0.r.2107104.001.0000000.0.r.210710
dahuasecuritynvr-6xx_firmware< 4.001.0000001.1.r.2107164.001.0000001.1.r.210716
dahuasecurityvth-542xh_firmware< 4.500.0000002.0.r.2107154.500.0000002.0.r.210715
dahuasecurityvto-65xxx_firmware< 4.300.0000004.0.r.2107154.300.0000004.0.r.210715
dahuasecurityvto-75x95x_firmware< 4.300.0000003.0.r.2107144.300.0000003.0.r.210714
dahuasecurityxvr-4x04_firmware< 4.001.0000001.1.r.2107094.001.0000001.1.r.210709
dahuasecurityxvr-4x08_firmware< 4.001.0000001.1.r.2107094.001.0000001.1.r.210709
dahuasecurityxvr-5x04_firmware< 4.001.0000003.1.r.2107104.001.0000003.1.r.210710
dahuasecurityxvr-5x08_firmware< 4.001.0000003.1.r.2107104.001.0000003.1.r.210710
dahuasecurityxvr-5x16_firmware< 4.001.0000003.1.r.2107104.001.0000003.1.r.210710
dahuasecurityxvr-7x16_firmware< 4.001.0000003.1.r.2107104.001.0000003.1.r.210710
dahuasecurityxvr-7x32_firmware< 4.001.0000003.1.r.2107104.001.0000003.1.r.210710

Detection & IOCsextracted from sources · hover to see the quote

url/RPC2_Login
command{"method": "global.login", "params": {"userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Plain", "password": "admin"}, "id": 1, "session": 0}
snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)"; flow:established,to_server; content:"|20 00 00 00|DHIP"; startswith; fast_pattern; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; reference:cve,2021-33045; classtype:attempted-admin; sid:2068365; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33045, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|20 00 00 00|DHIP
  • Exploit targets POST /RPC2_Login with a JSON body specifying loginType=Loopback and clientType=Local and ipAddr=127.0.0.1 to spoof a loopback device and bypass authentication
  • Successful exploitation returns HTTP 200 with a JSON body containing 'session', 'result':true, and 'keepAliveInterval' fields — match all three to confirm authentication bypass
  • DHIP protocol traffic (TCP) starting with bytes 20 00 00 00 followed by the ASCII string DHIP is the binary framing used by the exploit; presence of this pattern alongside Loopback/Local login parameters indicates an active exploitation attempt
  • CVE-2021-33045 is listed as actively exploited by Russian military cyber actors (Unit 29155) targeting critical infrastructure; prioritize detection on perimeter-facing Dahua IPC/VTH/VTO devices
  • Vulnerability is triggered when the loopback device is specified by the client during authentication — monitor for any external source IP submitting loginType=Loopback or clientType=Local to /RPC2_Login
  • ·The Snort/ET rule targets plaintext TCP traffic only (tls_state plaintext); encrypted DHIP sessions will not be detected by this signature
  • ·The nuclei template sends a single HTTP request (max-request: 1) and relies on response body matching; defenders should ensure HTTP response logging is enabled on proxies/WAFs in front of Dahua devices to capture the confirming response fields

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.