CVE-2021-33045

What is Dahua?

Dahua Technology is one of the world's largest video surveillance equipment manufacturers, deploying cameras and network video recorders (NVRs) globally in critical infrastructure, enterprise, and government environments. Authentication bypass vulnerabilities in IP cameras allow unauthenticated attackers to access live video feeds, camera configurations, and the physical security infrastructure the cameras protect.

Overview

CVE-2021-33045 is an authentication bypass vulnerability (CWE-287) in Dahua IP camera firmware — a companion bypass to CVE-2021-33044. When a client specifies the loopback device as the authentication type during the login process, the camera's authentication mechanism fails to properly verify credentials, allowing authentication to succeed without valid credentials. Both CVE-2021-33044 (NetKeyboard type bypass) and CVE-2021-33045 (loopback device type bypass) were disclosed simultaneously in Dahua's DSA-2021-001 advisory and were both added to CISA KEV in August 2024.

Affected Versions

Technical Details

Dahua's proprietary authentication protocol allows the client to specify the type of authentication device being used. When the loopback device type is specified in the authentication request, the server's credential validation incorrectly treats the request as coming from a trusted loopback source and bypasses normal credential checks:

• Root cause: Authentication bypass (CWE-287) — specifying the loopback device authentication type causes the server to skip proper credential verification
• Attack vector: Any client that can reach the camera's management port (TCP 37777 or web interface)
• Authentication result: Attacker receives a valid session token with full administrative access to the camera
• Relationship to CVE-2021-33044: These two CVEs represent two different bypass methods within the same authentication protocol — different authentication type values each trigger a different bypass path
• Combined risk: Two independent bypass paths mean that patching one while leaving the other unaddressed still leaves cameras vulnerable

Discovery

Identified by the same security researchers who reported CVE-2021-33044. Dahua's DSA-2021-001 advisory addresses both bypass types simultaneously.

Exploitation Context

The three-year gap between the September 2021 patch and the August 2024 CISA KEV addition reflects the persistent exploitation of IoT camera vulnerabilities. Dahua cameras deployed with internet-accessible management interfaces — particularly in critical infrastructure, utilities, and government facilities — remained exploitable long after patches were available, due to the difficulty of managing firmware updates across large deployments of embedded devices.

Remediation

1. Update Dahua camera firmware per Dahua Security Advisory DSA-2021-001 — the same patch addresses both CVE-2021-33044 and CVE-2021-33045
2. Restrict camera management interface access to internal network IPs only
3. Disable internet-facing access to Dahua camera management ports (TCP 37777, 80, 443)
4. Deploy cameras behind a VPN or dedicated Video Management System (VMS)
5. Change all default and administrative credentials immediately after firmware update
6. Implement network segmentation to isolate camera networks from corporate IT infrastructure