CVE-2022-45423

Published: Dec 27, 2022Modified: Apr 14, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specific crafted packet to the vulnerable interface (the credentials cannot be directly exploited).

Affected (22)

Products: Dahuasecurity: Dss Express, Dss Professional, Dhi Dss7016d S2 Firmware, Dhi Dss7016dr S2 Firmware, Dhi Dss4004 S2 Firmware

Dahuasecurity

5 products

Dss Express

Dss Professional

Dhi Dss7016d S2 Firmware

Dhi Dss7016dr S2 Firmware

Dhi Dss4004 S2 Firmware

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Dahuasecurity Dss Express	Version 7.002.1760000.2
Dahuasecurity Dss Express	Version 8.0.2
Dahuasecurity Dss Express	Version 8.0.4
Dahuasecurity Dss Express	Version 8.1.1
Dahuasecurity Dss Express	Version 8.1
Dahuasecurity Dss Professional	Version 7.002.1760000.2
Dahuasecurity Dss Professional	Version 8.0.2
Dahuasecurity Dss Professional	Version 8.0.4
Dahuasecurity Dss Professional	Version 8.1.1
Dahuasecurity Dss Professional	Version 8.1

Configuration B

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dahuasecurity Dhi Dss7016d S2 Firmware	Version 1.001.0000001.2
Dahuasecurity Dhi Dss7016d S2 Firmware	Version 8.0.2
Dahuasecurity Dhi Dss7016d S2 Firmware	Version 8.0.4
Dahuasecurity Dhi Dss7016d S2 Firmware	Version 8.1

Running on/with	Platform Versions
Dahuasecurity Dhi Dss7016d S2	All versions

Configuration C

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dahuasecurity Dhi Dss7016dr S2 Firmware	Version 1.001.0000001.2
Dahuasecurity Dhi Dss7016dr S2 Firmware	Version 8.0.2
Dahuasecurity Dhi Dss7016dr S2 Firmware	Version 8.0.4
Dahuasecurity Dhi Dss7016dr S2 Firmware	Version 8.1

Running on/with	Platform Versions
Dahuasecurity Dhi Dss7016dr S2	All versions

Configuration D

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dahuasecurity Dhi Dss4004 S2 Firmware	Version 1.001.0000001.2
Dahuasecurity Dhi Dss4004 S2 Firmware	Version 8.0.2
Dahuasecurity Dhi Dss4004 S2 Firmware	Version 8.0.4
Dahuasecurity Dhi Dss4004 S2 Firmware	Version 8.1

Running on/with	Platform Versions
Dahuasecurity Dhi Dss4004 S2	All versions

Related CWEs

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://www.dahuasecurity.com/support/cybersecurity/details/1137

Source: cybersecurity@dahuatech.com

PatchVendor Advisory

https://www.dahuasecurity.com/support/cybersecurity/details/1137

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.