CVE-2021-33044

What is Dahua?

Dahua Technology is one of the world's largest video surveillance equipment manufacturers, competing with Hikvision in the global IP camera market. Dahua cameras and NVRs are deployed in critical infrastructure, government facilities, and enterprises worldwide. Like Hikvision, Dahua has faced regulatory scrutiny due to the Chinese government's influence over the company. Authentication bypass vulnerabilities in IP cameras are particularly dangerous because they allow unauthenticated access to live video feeds, camera configurations, and in some cases the underlying Linux OS.

Overview

CVE-2021-33044 is an authentication bypass vulnerability (CWE-287) in Dahua IP camera firmware. When a client specifies the NetKeyboard authentication type during the login process, the camera's authentication mechanism fails to properly verify the client's credentials, allowing the authentication step to succeed without valid credentials. This grants the attacker full access to the camera management interface. See also CVE-2021-33045 for a companion bypass using the loopback device authentication type. CISA added both to KEV in August 2024.

Affected Versions

Technical Details

Dahua cameras support multiple authentication types in their login protocol (the Dahua proprietary management protocol). The authentication handler processes the requested authentication type from the client before validating credentials. When NetKeyboard is specified as the authentication type, the credential verification logic is bypassed or completed without proper validation:

• Root cause: Authentication bypass (CWE-287) — the NetKeyboard authentication type argument causes the server to skip or incorrectly complete credential verification
• Attack vector: Any client that can reach the camera's management port (TCP 37777 or the web interface port 80/443)
• Authentication result: Attacker receives a valid session token granting full administrative access
• Post-authentication access: Full camera control: live video access, configuration changes, credential modification, PTZ control, and in some cases OS-level access via the management interface

Discovery

Reported by security researchers studying Dahua's proprietary authentication protocol. Dahua published the advisory in September 2021 but confirmed exploitation wasn't formally recognized by CISA until August 2024 — a three-year gap reflecting long-tail exploitation of IoT vulnerabilities.

Exploitation Context

IoT camera authentication bypasses are actively exploited by threat actors for various purposes: surveillance (accessing live camera feeds), IoT botnet recruitment, and as entry points into physical security networks. Dahua cameras deployed in sensitive locations (critical infrastructure, government buildings) that have internet-accessible management interfaces are particularly at risk. The three-year gap between patch and CISA KEV addition reflects the difficulty of patching IoT devices and the persistence of exploitation.

Remediation

1. Update Dahua camera firmware per Dahua Security Advisory DSA-2021-001
2. Restrict camera management interface access to internal network IPs only — disable internet exposure of Dahua camera management ports (TCP 37777, 80, 443)
3. Place cameras behind a dedicated VPN or video management system (VMS)
4. Change all default and administrative credentials on Dahua cameras
5. Segment camera networks from corporate IT networks using VLANs
6. If firmware updates are unavailable for EOL devices, consider device replacement