Check this out: Hackers can exploit unpatched Dahua smart cameras.

Dahua smart camera users should be aware of critical vulnerabilities discovered by researchers at Bitdefender in the Hero C1 family of devices. These vulnerabilities, when exploited together, could enable remote code execution and complete control over the camera. The first vulnerability, identified as CVE-2025-31700, involves a stack-based buffer overflow in the ONVIF protocol handler, allowing attackers to write arbitrary bytes to the stack, potentially overwriting CPU registers. The second vulnerability, CVE-2025-31701, is a .bss segment overflow via the RPC upload handler, which could permit attackers to overwrite adjacent global variables.

Bitdefender highlighted that by crafting a specific structure in memory, an attacker could redirect execution to a system call, resulting in full remote code execution without requiring authentication. These vulnerabilities pose significant risks, especially for devices exposed to the internet through port-forwarding or UPnP. Dahua has acknowledged the issue and collaborated with Bitdefender to address it since March 2025. A patch was released on July 7, and the vulnerabilities were officially disclosed on July 23. The Dahua security team received commendations for their professional handling of the situation.