Cyber Resilience

CVE-2021-33045

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 September 2021

Published
15 September 2021
Modified
12 January 2026
KEV Added
21 August 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9417 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-33045 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dahuasecurity Xvr-4X04 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

The vulnerability CVE-2021-33045 is an identity authentication bypass present in some Dahua products during the login process and is tracked under CWE-287. It carries a CVSS 3.1 score of 9.8 reflecting network-exploitable conditions with no required privileges or user interaction and full impact on confidentiality, integrity, and availability.

An attacker can exploit the flaw by constructing malicious data packets to bypass device identity authentication, thereby gaining unauthorized access to the affected products.

Public references including Dahua's security advisory at dahuasecurity.com/support/cybersecurity/details/957 along with PacketStorm and Full Disclosure postings document the authentication bypass and related technical details.

EU & UK References

Vulnerability details

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CWE(s)
KEV Date Added
21 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dahuasecurity
ipc-hum7xxx firmware
≤ 2.820.0000000.5.r.210705
dahuasecurity
ipc-hx3xxx firmware
≤ 2.800.0000000.29.r.210630
dahuasecurity
ipc-hx5xxx firmware
≤ 2.820.0000000.5.r.210705
dahuasecurity
nvr-1xxx firmware
≤ 4.001.0000005.1.r.210709
dahuasecurity
nvr-2xxx firmware
≤ 4.001.0000000.1.r.210710
dahuasecurity
nvr-4xxx firmware
≤ 4.001.0000005.1.r.210713
dahuasecurity
nvr-5xxx firmware
≤ 4.001.0000000.0.r.210710
dahuasecurity
nvr-6xx firmware
≤ 4.001.0000001.1.r.210716
dahuasecurity
vth-542xh firmware
≤ 4.500.0000002.0.r.210715
dahuasecurity
vto-65xxx firmware
≤ 4.300.0000004.0.r.210715
+8 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce authentication outcomes before granting access, blocking the malicious-packet bypass of the login process.

prevent

Mandates unique identification and authentication of users prior to any system access, directly addressing the identity-authentication flaw.

prevent

Requires cryptographic or strong device-to-device identification and authentication, mitigating the device-identity bypass vector.

References