CVE-2026-29116: Denial-of-service vulnerability in Dahua products (CVSS 8.7)

On June 10, 2026, the manufacturer Dahua Technology disclosed a vulnerability in many of its products, identified by the ID CVE-2026-29116 is being conducted. With a CVSS 4.0 score of 8.7 it is referred to as high classified. The vulnerability allows an unauthenticated attacker to trigger an unexpected reboot of the target system by sending a specially crafted network packet, thereby causing a denial-of-service (DoS) condition.

Technical Details and Attack Vector

According to the Security Advisory from Dahua (DHCC-SA-202606-001) The vulnerability can be exploited remotely without any authentication or user interaction. An attacker merely needs network access to a vulnerable device. The manipulated packet causes an exception in the device firmware, leading to an immediate reboot. Repeated attacks can permanently compromise the device’s availability.

The CVSS score CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N confirms this:

AV:N (Attack Vector: Network): The attack is carried out over the network.
PR:N (Privileges Required: None): No login credentials or permissions are required.
VA:H (Vulnerable System Availability: High): The impact on system availability is significant.

According to this assessment, data confidentiality and integrity are not affected. The primary source of information is currently the manufacturer’s advisory, as the entry in the National Vulnerability Database (NVD) had not yet been updated with further details at the time of the analysis.

Affected systems and operational risks

The vulnerability affects a wide range of IoT and OT systems that are widely used in physical security infrastructures. These include, among others:

IP cameras (IPC)
Network and Digital Video Recorders (NVR, XVR)
Enterprise Video Storage (EVS)
Video door intercom systems (VTO/VTH)
Access Control Systems (ASI)
Thermal cameras (TPC)

Since the manufacturer has not yet specified any particular model series or firmware versions, it is difficult to identify the affected devices with certainty. The operational risk is significant: A DoS attack on surveillance cameras can create blind spots in security zones, while the failure of an access control system can block physical access to critical areas.

CVE-2026-29116 is not the first security incident involving Dahua. In July 2025, critical vulnerabilities (CVE-2025-31700 and CVE-2025-31701, CVSS 8.1) were publicly disclosed in Dahua camera firmware, allowing unauthenticated attackers to execute remote code. In August 2024, the U.S. agency CISA warned of active exploitation of older Dahua authentication vulnerabilities (CVE-2021-33044 and CVE-2021-33045, CVSS 9.8) in the wild. These recurring incidents underscore the need for continuous vendor risk management for technology partners using Dahua products. Sources: SecurityAffairs/Bitdefender (July 2025); SecurityWeek/CISA KEV (August 2024).

Recommendations for Operators

Companies should focus on reducing their attack surface and promptly install available firmware updates.

Immediate measures:

1. Inventory: Identify all Dahua devices in your infrastructure. 2. Exposure analysis: Check which of these devices can be accessed via the Internet. 3. Network segmentation: Isolate critical security systems in protected network segments to prevent unauthorized access. 4. Access restriction: Block network access to the devices' administrative services from untrusted networks.

Medium-term measures:

Update Management: Install the firmware updates provided by the manufacturer after carefully reviewing them. Continue to monitor the Dahua Cybersecurity Center (DHCC) for new security advisories.
Secure remote access: Make sure that remote access to these systems is only granted via secure connections, such as VPNs.

This is particularly relevant for operators in the DACH region: Companies and government agencies that use Dahua devices in security-sensitive areas may fall under the NIS 2 Directive, which mandates network security measures for operators of critical infrastructure. If a DoS attack leads to an outage affecting personal data, the 72-hour reporting requirement under Article 33 of the GDPR also applies. The BSI generally recommends consistent network segmentation of IoT devices and their isolation from the corporate network.

How EASM and VRM Reduce the Risk of IoT Vulnerabilities

The challenge with devices like those from Dahua is often that they exist as „shadow IT“ outside of central IT management. They are installed by line-of-business departments or service providers and are often inadequately documented and secured—making them simply invisible to the security team.

One External Attack Surface Management (EASM) LocateRisk addresses this problem by continuously scanning a company’s external, internet-connected infrastructure. This allows even unknown or forgotten assets—such as cameras, video recorders, or access control systems—to be identified and added to a comprehensive asset inventory. Exposed administrative services, open ports, and configuration drift become visible before attackers can exploit them—regardless of whether a device has been recorded by central IT or not.

In addition, continuous Vendor Risk Management (VRM) Assessing the security posture of suppliers and technology partners. Given the repeated security incidents at Dahua, structured monitoring of vendor security is a key component in realistically assessing one’s own risk profile. LocateRisk is a „Made in Germany“ solution hosted in German data centers that helps companies comply with GDPR requirements and reduce the risk associated with non-European data access.

Sources and further information

Sources

Dahua PSIRT Security Advisory (DHCC-SA-202606-001): dahuasecurity.com
NVD entry for CVE-2026-29116: nvd.nist.gov
SecurityAffairs: Dahua Camera Vulnerabilities (CVE-2025-31700/-31701), July 2025: securityaffairs.com
SecurityWeek: CISA Warns of Actively Exploited Dahua Vulnerabilities (CVE-2021-33044/-33045), August 2024: securityweek.com

Do you know your external attack surface?

Continuous monitoring of your external IT systems is essential for identifying exposed devices and associated vulnerabilities at an early stage. LocateRisk provides a comprehensive analysis of your attack surface.

Request a free safety check

Frequently asked questions

What is CVE-2026-29116?

CVE-2026-29116 is a vulnerability in various Dahua Technology products that was disclosed by the manufacturer on June 10, 2026. It has a CVSS 4.0 score of 8.7 (High) and allows an unauthenticated attacker to remotely trigger an unexpected reboot of the target system by sending a specially crafted network packet, thereby causing a denial-of-service condition.

Which Dahua devices are affected?

According to the manufacturer’s advisory (DHCC-SA-202606-001), several product categories are affected, including IP cameras, network and digital video recorders (NVR, XVR), enterprise video storage, video door intercoms, access control systems, and thermal cameras. At the time of publication, Dahua had not yet specified any specific model series or affected firmware versions.

How can I protect myself until a patch is available?

The most important immediate measure is network segmentation: Dahua devices should be operated in isolated network segments and should not be directly accessible from the internet. Remote access should only be permitted via secure VPN connections. In addition, operators should actively monitor the Dahua Cybersecurity Center (DHCC) for new firmware updates.

Request your personal Live-Demo now

Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.

Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!

Your personal consultantLukas BaumannCEO

+49 6151 6290246

Get in Touch Now