<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dahua Technology - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/dahua-technology/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 07:06:03 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/dahua-technology/feed.xml" rel="self" type="application/rss+xml"/><item><title>Dahua IPC Vulnerability CVE-2026-29114 Exposes CA Root Certificate</title><link>https://feed.craftedsignal.io/briefs/2026-07-dahua-exposed-ca-root-cert/</link><pubDate>Sat, 11 Jul 2026 07:06:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dahua-exposed-ca-root-cert/</guid><description>A low-severity certificate-trust vulnerability (CVE-2026-29114) has been identified in select Dahua IPC (IP camera) models with firmware builds before April 15, 2026. A remote attacker can obtain the device's internal CA root certificate, which, if trusted by client workstations, browsers, or middleware, allows the attacker to mint fraudulent X.509 certificates, enabling person-in-the-middle (MITM) attacks against HTTPS or TLS-protected sessions, undermining confidentiality and integrity, with related CVEs for different impacts. Remediation involves upgrading firmware and removing improperly trusted device CAs from client trust stores.</description><content:encoded><![CDATA[<p>A low-severity certificate-trust vulnerability, CVE-2026-29114, impacts specific Dahua IPC (IP camera) models running firmware built prior to April 15, 2026. This vulnerability allows a remote attacker to obtain the device's internal CA root certificate. If this exposed root CA (or an intermediate certificate derived from it) has been installed and trusted on client workstations, browsers, or middleware, an attacker possessing the corresponding private key material can forge X.509 certificates that appear legitimate to the trusting clients. This capability enables person-in-the-middle (MITM) attacks against HTTPS or TLS-protected sessions that rely on the compromised trust anchor, severely undermining the confidentiality and integrity of communications. The issue is described with a CVSS 4.0 base score of 2.3 (LOW), largely due to deployment preconditions and passive user interaction requirements. Other related Dahua vulnerabilities, CVE-2026-29115 and CVE-2026-29116, were disclosed concurrently, but affect different products and have distinct impacts, primarily availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a vulnerable Dahua IPC device with firmware built before April 15, 2026.</li>
<li>The attacker remotely accesses the IPC and exploits an unspecified mechanism to obtain the device's internal CA root certificate and potentially its private key material.</li>
<li>The attacker utilizes the compromised CA root certificate and private key to mint fraudulent X.509 certificates for arbitrary domains or services.</li>
<li>The attacker establishes a Person-in-the-Middle (MITM) position to intercept network traffic between a client and a legitimate service.</li>
<li>During the MITM attack, the attacker presents the fraudulently issued X.509 certificate to the client.</li>
<li>If the client workstation, browser, or middleware has previously had the compromised Dahua device CA installed and trusted in its trust store, it accepts the fraudulent certificate as legitimate.</li>
<li>The attacker then decrypts, inspects, and potentially modifies the TLS-protected traffic between the client and the legitimate service.</li>
<li>Confidentiality and integrity of the intercepted communication are compromised, enabling data exfiltration or manipulation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-29114 is the compromise of confidentiality and integrity of TLS-protected communications between client systems and legitimate services, facilitated by person-in-the-middle (MITM) attacks. While the direct impact on the vulnerable Dahua IPC itself is considered low (CVSS 2.3), the real danger lies in the ability of an attacker to forge trusted X.509 certificates. This can lead to sensitive data interception or alteration if client machines (such as operator PCs, VMS middleware, or corporate browsers) have erroneously installed and trust the exposed device CA. The vulnerability does not directly impact the availability of the device, nor does it lead to bulk exfiltration of recorded video. The number of potentially affected organizations and victims is proportional to the deployment of vulnerable Dahua IPC models with unpatched firmware and the practice of installing device CAs into enterprise trust stores.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all Dahua IPC units with firmware builds before April 15, 2026, to vendor-fixed versions as advised in the Dahua Product Security Incident (PSI) Trust Center reference.</li>
<li>Remove any Dahua-issued or device-embedded CA root certificates from all client workstation, browser, and middleware trust stores identified by the <code>Detect Suspicious Dahua CA Roots in Windows Trust Store</code> and <code>Detect Suspicious Dahua CA Roots in Linux Trust Store</code> Sigma rules.</li>
<li>Deploy the <code>Detect Suspicious Dahua CA Roots in Windows Trust Store</code> Sigma rule to monitor PowerShell command line activity for auditing of suspicious root certificates.</li>
<li>Deploy the <code>Detect Suspicious Dahua CA Roots in Linux Trust Store</code> Sigma rule to monitor process creation for <code>grep</code> commands searching for suspicious root certificates in common CA directories.</li>
<li>Implement strict PKI best practices for IPC deployments, ensuring that device-embedded CAs are never trusted enterprise-wide and that public or corporate PKI is preferred.</li>
<li>Block unauthenticated administrative URLs on Dahua IPCs from untrusted networks to limit initial access opportunities.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>vulnerability</category><category>certificate-abuse</category><category>dahua</category><category>pki</category><category>mitm</category></item></channel></rss>