Cyber Resilience

CVE-2021-33044

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 September 2021

Published
15 September 2021
Modified
12 January 2026
KEV Added
21 August 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9427 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-33044 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dahuasecurity Ipc-Hum7Xxx Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2021-33044 is an identity authentication bypass vulnerability affecting some Dahua products during the login process and is tracked under CWE-287. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker can exploit the flaw remotely by constructing and sending malicious data packets that bypass device identity authentication, resulting in full impact to confidentiality, integrity, and availability of the affected device.

Dahua has published an advisory at https://www.dahuasecurity.com/support/cybersecurity/details/957. Public technical details and proof-of-concept material have also been posted to Packet Storm Security and the Seclists Full Disclosure mailing list.

EU & UK References

Vulnerability details

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CWE(s)
KEV Date Added
21 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dahuasecurity
ipc-hum7xxx firmware
≤ 2.820.0000000.5.r.210705
dahuasecurity
ipc-hx3xxx firmware
≤ 2.800.0000000.29.r.210630
dahuasecurity
ipc-hx5xxx firmware
≤ 2.820.0000000.18.r.210705
dahuasecurity
sd1a1 firmware
≤ 2.812.0000007.0.r.210706
dahuasecurity
sd22 firmware
≤ 2.812.0000007.0.r.210706
dahuasecurity
sd49 firmware
≤ 2.812.0000007.0.r.210706
dahuasecurity
sd50 firmware
≤ 2.812.0000007.0.r.210706
dahuasecurity
sd52c firmware
≤ 2.812.0000007.0.r.210706
dahuasecurity
sd6al firmware
≤ 2.812.0000007.0.r.210706
dahuasecurity
tpc-bf1241 firmware
≤ 2.630.0000000.6.r.210707
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements before allowing access, blocking the malicious-packet bypass of the login process.

prevent

Requires cryptographic or strong device identification and authentication, directly addressing the device-identity bypass flaw.

AC-17 Remote Access partial match
prevent

Mandates secure remote-access mechanisms and authentication, limiting the network vector used to send the crafted login packets.

References