{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dahua/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-29114"},{"id":"CVE-2026-29115"},{"id":"CVE-2026-29116"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Dahua IPC models (firmware before 2026-04-15)"],"_cs_severities":["low"],"_cs_tags":["vulnerability","certificate-abuse","dahua","pki","mitm"],"_cs_type":"advisory","_cs_vendors":["Dahua Technology"],"content_html":"\u003cp\u003eA low-severity certificate-trust vulnerability, CVE-2026-29114, impacts specific Dahua IPC (IP camera) models running firmware built prior to April 15, 2026. This vulnerability allows a remote attacker to obtain the device's internal CA root certificate. If this exposed root CA (or an intermediate certificate derived from it) has been installed and trusted on client workstations, browsers, or middleware, an attacker possessing the corresponding private key material can forge X.509 certificates that appear legitimate to the trusting clients. This capability enables person-in-the-middle (MITM) attacks against HTTPS or TLS-protected sessions that rely on the compromised trust anchor, severely undermining the confidentiality and integrity of communications. The issue is described with a CVSS 4.0 base score of 2.3 (LOW), largely due to deployment preconditions and passive user interaction requirements. Other related Dahua vulnerabilities, CVE-2026-29115 and CVE-2026-29116, were disclosed concurrently, but affect different products and have distinct impacts, primarily availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Dahua IPC device with firmware built before April 15, 2026.\u003c/li\u003e\n\u003cli\u003eThe attacker remotely accesses the IPC and exploits an unspecified mechanism to obtain the device's internal CA root certificate and potentially its private key material.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the compromised CA root certificate and private key to mint fraudulent X.509 certificates for arbitrary domains or services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a Person-in-the-Middle (MITM) position to intercept network traffic between a client and a legitimate service.\u003c/li\u003e\n\u003cli\u003eDuring the MITM attack, the attacker presents the fraudulently issued X.509 certificate to the client.\u003c/li\u003e\n\u003cli\u003eIf the client workstation, browser, or middleware has previously had the compromised Dahua device CA installed and trusted in its trust store, it accepts the fraudulent certificate as legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker then decrypts, inspects, and potentially modifies the TLS-protected traffic between the client and the legitimate service.\u003c/li\u003e\n\u003cli\u003eConfidentiality and integrity of the intercepted communication are compromised, enabling data exfiltration or manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-29114 is the compromise of confidentiality and integrity of TLS-protected communications between client systems and legitimate services, facilitated by person-in-the-middle (MITM) attacks. While the direct impact on the vulnerable Dahua IPC itself is considered low (CVSS 2.3), the real danger lies in the ability of an attacker to forge trusted X.509 certificates. This can lead to sensitive data interception or alteration if client machines (such as operator PCs, VMS middleware, or corporate browsers) have erroneously installed and trust the exposed device CA. The vulnerability does not directly impact the availability of the device, nor does it lead to bulk exfiltration of recorded video. The number of potentially affected organizations and victims is proportional to the deployment of vulnerable Dahua IPC models with unpatched firmware and the practice of installing device CAs into enterprise trust stores.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Dahua IPC units with firmware builds before April 15, 2026, to vendor-fixed versions as advised in the Dahua Product Security Incident (PSI) Trust Center reference.\u003c/li\u003e\n\u003cli\u003eRemove any Dahua-issued or device-embedded CA root certificates from all client workstation, browser, and middleware trust stores identified by the \u003ccode\u003eDetect Suspicious Dahua CA Roots in Windows Trust Store\u003c/code\u003e and \u003ccode\u003eDetect Suspicious Dahua CA Roots in Linux Trust Store\u003c/code\u003e Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect Suspicious Dahua CA Roots in Windows Trust Store\u003c/code\u003e Sigma rule to monitor PowerShell command line activity for auditing of suspicious root certificates.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect Suspicious Dahua CA Roots in Linux Trust Store\u003c/code\u003e Sigma rule to monitor process creation for \u003ccode\u003egrep\u003c/code\u003e commands searching for suspicious root certificates in common CA directories.\u003c/li\u003e\n\u003cli\u003eImplement strict PKI best practices for IPC deployments, ensuring that device-embedded CAs are never trusted enterprise-wide and that public or corporate PKI is preferred.\u003c/li\u003e\n\u003cli\u003eBlock unauthenticated administrative URLs on Dahua IPCs from untrusted networks to limit initial access opportunities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T07:06:03Z","date_published":"2026-07-11T07:06:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dahua-exposed-ca-root-cert/","summary":"A low-severity certificate-trust vulnerability (CVE-2026-29114) has been identified in select Dahua IPC (IP camera) models with firmware builds before April 15, 2026. A remote attacker can obtain the device's internal CA root certificate, which, if trusted by client workstations, browsers, or middleware, allows the attacker to mint fraudulent X.509 certificates, enabling person-in-the-middle (MITM) attacks against HTTPS or TLS-protected sessions, undermining confidentiality and integrity, with related CVEs for different impacts. Remediation involves upgrading firmware and removing improperly trusted device CAs from client trust stores.","title":"Dahua IPC Vulnerability CVE-2026-29114 Exposes CA Root Certificate","url":"https://feed.craftedsignal.io/briefs/2026-07-dahua-exposed-ca-root-cert/"}],"language":"en","title":"CraftedSignal Threat Feed - Dahua","version":"https://jsonfeed.org/version/1.1"}